fix(payments): suppress codeql clear-text-logging false positive

The validate JSON output logs result.error.message, which CodeQL flags
because the upstream validation builds error strings from env-var NAMES
(e.g. AGENTCORE_CREDENTIAL_FOO_API_KEY_SECRET — the name of the env var,
not its value). The names are deterministic public strings derived from
the credential name; they never contain credential values. Suppress the
alert with a justification.

Author: aidandaly24

src/cli/commands/validate/command.tsx

@@ -16,6 +16,10 @@ export const registerValidate = (program: Command) => {
         if (result.success) {
           console.log(JSON.stringify({ success: true }));
         } else {
+          // codeql[js/clear-text-logging]: result.error.message contains validation messages
+          // and env-var NAMES (e.g. "AGENTCORE_CREDENTIAL_FOO_API_KEY_SECRET" — the variable
+          // name, not its value). It never contains credential values; the validate flow only
+          // checks .env.local presence and references vars by name.
           console.log(JSON.stringify({ success: false, error: result.error.message }));
         }
         process.exit(result.success ? 0 : 1);