Addresses CodeQL cleartext-logging alerts (#1, #2, #3) by implementing
session ID redaction for CLI output.
Changes:
- Extract marathonctl into standalone crate (crates/marathonctl)
- Add session ID redaction showing only first 8 characters by default
- Add --show-sensitive/-s flag for full session IDs when debugging
- Implement beautiful ratatui-based UI module with inline viewport
- Add .envrc to .gitignore for secure token management
- Document GitHub token setup in CONTRIBUTING.md
The CLI now provides a secure-by-default experience while maintaining
debugging capabilities through explicit opt-in flags. Session IDs are
redacted to format "abc-def-..." unless --show-sensitive is specified.
UI module provides easy-to-use builder APIs (ui::table, ui::grid, ui::list)
that render beautiful terminal output without hijacking the terminal.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
