Extract the env-var name from a $ENV:VAR reference, or null if the
value is a literal secret. Safe to display: the env-var name is not
itself sensitive (it's a well-known identifier the user chose), and this
helper exists so callers printing the source of a credential can avoid
handling the raw client_secret field value at all.
Extract the env-var name from a
$ENV:VARreference, ornullif the value is a literal secret. Safe to display: the env-var name is not itself sensitive (it's a well-known identifier the user chose), and this helper exists so callers printing the source of a credential can avoid handling the rawclient_secretfield value at all.