security: avoid logging Droid settings contents

[EffortlessSteven]

Problem

setupDroidSettings printed the contents of an existing settings file.

Droid settings may contain provider credentials, custom model configuration, MCP env values, or token-shaped runtime fields. Logging the full settings object creates avoidable exposure in CI logs.

Change

• Replace full settings JSON logging with a generic status message.
• Keep settings merge behavior unchanged.
• Add regression coverage that verifies sensitive values and key names are not logged.
• Serialize non-string console args in the test capture path so object-shaped logs are not hidden as [object Object].

Review map

Area	Files	What to check
Logging behavior	base-action/src/setup-droid-settings.ts	Existing settings contents are not printed.
Regression test	base-action/test/setup-droid-settings.test.ts	String and object-shaped console output are caught.
Scope	Both files	Settings paths and merge semantics are unchanged.

Behavior

Before:

Found existing settings: { ...full settings JSON... }

After:

Found existing settings file

Settings merge behavior is unchanged.

Validation

cd base-action
bun test setup-droid-settings
bun test
bun run typecheck
bun run format:check

cd ..
bun run typecheck
bun run format:check

Non-goals

• No settings path changes.
• No artifact behavior changes.
• No Droid model behavior changes.
• No settings value or key-name logging.

Contribution license

This repository does not currently include a FOSS license or contributor license agreement.

For this pull request, I expressly grant Factory AI and its affiliates a perpetual, worldwide, royalty-free, irrevocable license to use, copy, modify, publish, distribute, sublicense, and relicense these contributions, including as part of this repository or any related Factory AI product or service.