fix(rolling-update): reject empty-key DEFAULT_EXTRA_ENV entries

- Codex P2 (rolling-update.sh:944, new angle over round 3): the prior
  validator only rejected entries without any equals sign; an entry
  like =1800MiB satisfied the *=* match and was let through, only to
  be rejected later by run_container key regex. Fail the merge
  explicitly for empty-key entries at the same point we fail on
  missing equals sign, so a malformed safeguard is caught with a
  clear message.

The round-3 Gemini Medium about read -a / set -e was verified against
bash 3.2 (macOS default): the existing [[ -n "$user" ]] guard prevents
the empty-here-string case and whitespace-only input reads successfully
into an empty array under bash 3.2. Not changing the || true shape the
reviewer suggested; the guard is sufficient and appending || true
would swallow real read failures.

Author: bootjp

scripts/rolling-update.sh

@@ -938,12 +938,21 @@ merge_extra_env() {
     # is baked into deploy.env — a malformed token there means a
     # safeguard we installed deliberately is silently ignored. Fail
     # loudly instead of dropping it.
+    # Three failure modes to catch early:
+    #   - no `=` at all (e.g. GOMEMLIMIT)           -> malformed
+    #   - empty key before `=` (e.g. =1800MiB)     -> malformed
+    #     (the `*=*` pattern match alone accepts this)
+    #   - empty pair (covered by the continue above)
     for pair in "${default_pairs[@]}"; do
       [[ -n "$pair" ]] || continue
       if [[ "$pair" != *=* ]]; then
         echo "rolling-update: malformed DEFAULT_EXTRA_ENV entry '$pair' (expected KEY=VALUE)" >&2
         return 1
       fi
+      if [[ "${pair%%=*}" == "" ]]; then
+        echo "rolling-update: malformed DEFAULT_EXTRA_ENV entry '$pair' (empty key)" >&2
+        return 1
+      fi
     done
   fi
   for pair in "${default_pairs[@]}"; do