feat(cli): add redacted share bundles

[ozymandiashh]

Summary

CodeBurn users sometimes need to share enough local telemetry to debug provider parsing, cost attribution, or a suspicious session, but the existing JSON/reporting surfaces are not safe to paste into GitHub issues. Raw reports can include project names, absolute local paths, prompts, shell fragments, emails, and tokens.

This adds codeburn share, a local-only redacted JSON support bundle. It keeps the useful debugging structure (projects, sessions, turns, models, token usage, tools, activity categories, and costs) while replacing sensitive strings with stable placeholders such as [project:1], [path:1], [email:1], and [secret:1].

What changed

• Add codeburn share with period, custom date range, provider, project, exclude, and output-path options.
• Add src/share.ts for building codeburn.share.v1 bundles from parsed project summaries.
• Pseudonymize project labels, including values passed through --project and --exclude.
• Redact common sensitive values:
  • emails
  • macOS/Linux/Windows/UNC/relative paths
  • URL basic-auth credentials
  • bearer/basic auth headers
  • API key / token / password-style assignments, including JSON-like quoted keys
  • common token formats for OpenAI, GitHub, GitLab, Slack, Stripe, npm, AWS access keys, Google API keys, and JWTs
• Preserve useful non-content debugging signals such as models, token usage, costs, tools, skills, agent-spawn flags, plan-mode flags, and timestamps.
• Write default bundles with a timestamped filename to avoid accidental same-day overwrites.
• Document the command and add an Unreleased changelog entry.

Privacy model

The command does not upload anything and does not add a support service. It writes a local JSON file and tells users to review the output before posting it publicly. Redaction is intentionally best-effort: it covers common leak patterns while preserving enough structure for maintainers to understand parser and cost attribution issues.

The tests construct secret-like fixture values at runtime instead of storing literal credentials in the repository, so the redaction cases remain covered without tripping repository secret scanning.

Validation

• npx vitest run tests/share.test.ts tests/export.test.ts tests/cli-date.test.ts
• npx vitest run
• npm run build
• node dist/cli.js share --help