fix: password placeholder (#53)

internal/providers/service.go

@@ -142,10 +142,7 @@ func (s *Service) Update(ctx context.Context, id string, req UpdateRequest) (Get
 		baseURL = *req.BaseURL
 	}
 
-	apiKey := existing.ApiKey
-	if req.APIKey != nil {
-		apiKey = *req.APIKey
-	}
+	apiKey := resolveUpdatedAPIKey(existing.ApiKey, req.APIKey)
 
 	metadata := existing.Metadata
 	if req.Metadata != nil {
@@ -253,3 +250,15 @@ func maskAPIKey(apiKey string) string {
 	}
 	return apiKey[:8] + strings.Repeat("*", len(apiKey)-8)
 }
+
+// resolveUpdatedAPIKey keeps the original key when the request value matches the masked version.
+// This prevents masked placeholder values from overwriting the real stored credential.
+func resolveUpdatedAPIKey(existing string, updated *string) string {
+	if updated == nil {
+		return existing
+	}
+	if *updated == maskAPIKey(existing) {
+		return existing
+	}
+	return *updated
+}

internal/providers/service_test.go

@@ -0,0 +1,40 @@
+package providers
+
+import "testing"
+
+func TestResolveUpdatedAPIKey(t *testing.T) {
+	t.Parallel()
+
+	existing := "sk-1234567890abcdef"
+	masked := maskAPIKey(existing)
+
+	t.Run("nil update keeps existing", func(t *testing.T) {
+		t.Parallel()
+		if got := resolveUpdatedAPIKey(existing, nil); got != existing {
+			t.Fatalf("expected existing key, got %q", got)
+		}
+	})
+
+	t.Run("masked update keeps existing", func(t *testing.T) {
+		t.Parallel()
+		if got := resolveUpdatedAPIKey(existing, &masked); got != existing {
+			t.Fatalf("expected existing key, got %q", got)
+		}
+	})
+
+	t.Run("new key replaces existing", func(t *testing.T) {
+		t.Parallel()
+		next := "sk-new-secret"
+		if got := resolveUpdatedAPIKey(existing, &next); got != next {
+			t.Fatalf("expected new key, got %q", got)
+		}
+	})
+
+	t.Run("empty update clears key", func(t *testing.T) {
+		t.Parallel()
+		empty := ""
+		if got := resolveUpdatedAPIKey(existing, &empty); got != empty {
+			t.Fatalf("expected empty key, got %q", got)
+		}
+	})
+}