Whether config show reports only set/not-set, never the raw value.
Named redacted rather than secret so the value (and the JSON field it
populates) carries no credential-suggesting identifier — the flag is
boolean metadata, and a secret-named value tripped CodeQL's clear-text
logging heuristic when written to stdout.
