security: redact sensitive data in exports, events, and execution results

[blindzero]

Goal

• Prevent accidental leakage of secrets via plan export artifacts, event payloads, or execution results.
• Provide a secure-by-default baseline for production usage (v1.0.0).

Scope

• Add a core redaction utility that produces a redacted copy of structured objects (hashtables, PSCustomObject, arrays).
• Redact by key name (case-insensitive) using a default list, e.g.:
  • password, passphrase, secret, token, apikey, apiKey, clientSecret, accessToken, refreshToken, credential, privateKey
• Always redact these types when encountered:
  • PSCredential, SecureString (and any equivalent secure containers)
• Apply redaction at these output boundaries:
  • Event emission: Event.Data and related payloads (before sending to external sinks and before buffering)
  • Export: inputs / expectedState (canonical plan/workflow JSON export)
  • Execution result: returned Providers payload (and any other user-facing output surfaces that may contain secrets)
• Redaction placeholder must be stable and testable (e.g. "[REDACTED]").

Non-Goals

• Do not attempt to parse or redact free-text strings reliably (e.g., error messages). Document best-practice: do not place secrets into message strings.

Acceptance Criteria

• Exported JSON never contains raw secret values when provided via inputs/expectedState.
• Events never contain raw secret values in Event.Data when emitted by steps/providers.
• Execution result never returns raw secret values under Providers.
• Redaction behavior is deterministic and test-covered (export, events, result surface).
• Documentation describes what is redacted and where (secure-by-default).