security: set and declare -p leak internal marker variables (TM-INF-017)

[chaliy]

Summary

set (no args) at builtins/vars.rs:114-119 and declare -p at interpreter/mod.rs:5367-5374 iterate all variables without filtering internal prefixes (_NAMEREF_*, _READONLY_*, _UPPER_*, _LOWER_*).

Impact — MEDIUM

Scripts can discover which variables are namerefs, readonly, or have case conversion attributes by examining set or declare -p output. This leaks internal implementation details.

Reproduction

declare -n myref=target
readonly myval=123
set | grep -E "^_(NAMEREF|READONLY)_"
# Output: _NAMEREF_myref=target
#         _READONLY_myval=1

Recommended fix

Filter is_internal_variable() names from output in both set and declare -p paths.

Tests

Regression tests (currently #[ignore]):

• security_audit_set_hides_internal_markers
• security_audit_declare_p_hides_internal_markers

Cross-references

• Threat model: TM-INF-017
• PR: test(security): deep security audit with regression tests #487