feat(secrets): finalize external secrets runtime and migration hardening

src/commands/models/list.status.test.ts

@@ -229,6 +229,35 @@ describe("modelsStatusCommand auth overview", () => {
     ).toBe(true);
   });
 
+  it("does not emit raw short api-key values in JSON labels", async () => {
+    const localRuntime = createRuntime();
+    const shortSecret = "abc123";
+    const originalProfiles = { ...mocks.store.profiles };
+    mocks.store.profiles = {
+      ...mocks.store.profiles,
+      "openai:default": {
+        type: "api_key",
+        provider: "openai",
+        key: shortSecret,
+      },
+    };
+
+    try {
+      await modelsStatusCommand({ json: true }, localRuntime as never);
+      const payload = JSON.parse(String((localRuntime.log as Mock).mock.calls[0]?.[0]));
+      const providers = payload.auth.providers as Array<{
+        provider: string;
+        profiles: { labels: string[] };
+      }>;
+      const openai = providers.find((p) => p.provider === "openai");
+      const labels = openai?.profiles.labels ?? [];
+      expect(labels.join(" ")).toContain("...");
+      expect(labels.join(" ")).not.toContain(shortSecret);
+    } finally {
+      mocks.store.profiles = originalProfiles;
+    }
+  });
+
   it("uses agent overrides and reports sources", async () => {
     const localRuntime = createRuntime();
     await withAgentScopeOverrides(