perf: avoid bitwarden probe in runtime description

docs/secrets.md

@@ -187,7 +187,8 @@ effective := secretstore.EffectiveBackendPolicy(store)
 fmt.Println("backend effectif:", effective) // bitwarden-cli, env-only, keyring-any...
 ```
 
-Pour obtenir en un seul appel une description runtime (source manifeste, policy déclarée/effective, disponibilité) :
+Pour obtenir en un seul appel une description runtime légère (source manifeste,
+policy déclarée/effective, backend affiché) :
 
 ```go
 desc, err := secretstore.DescribeRuntime(secretstore.DescribeRuntimeOptions{
@@ -202,7 +203,8 @@ fmt.Println(secretstore.FormatBackendStatus(desc))
 // declared=... effective=... display=... ready=... source=...
 ```
 
-Pour un préflight réutilisable dans `setup`, `config show` et `config test` :
+`DescribeRuntime` ne contacte pas Bitwarden par défaut. Pour vérifier réellement
+la disponibilité du backend, utiliser le préflight :
 
 ```go
 report, err := secretstore.PreflightFromManifest(secretstore.PreflightOptions{

secretstore/runtime.go

@@ -16,6 +16,7 @@ type DescribeRuntimeOptions struct {
 	BitwardenCommand      string
 	BitwardenDebug        bool
 	DisableBitwardenCache bool
+	CheckReady            bool
 	Shell                 string
 	ManifestLoader        ManifestLoader
 	ExecutableResolver    ExecutableResolver
@@ -91,7 +92,7 @@ func DescribeRuntime(options DescribeRuntimeOptions) (RuntimeDescription, error)
 		desc.EffectivePolicy = effective
 		desc.DisplayName = BackendDisplayName(effective)
 	}
-	if desc.EffectivePolicy == BackendBitwardenCLI {
+	if options.CheckReady && desc.EffectivePolicy == BackendBitwardenCLI {
 		if err := verifyBitwardenCLIReady(Options{
 			BitwardenCommand: options.BitwardenCommand,
 			BitwardenDebug:   options.BitwardenDebug,
@@ -107,6 +108,7 @@ func DescribeRuntime(options DescribeRuntimeOptions) (RuntimeDescription, error)
 }
 
 func PreflightFromManifest(options PreflightOptions) (PreflightReport, error) {
+	options.CheckReady = true
 	desc, err := DescribeRuntime(options)
 	if err != nil {
 		return PreflightReport{}, err

secretstore/runtime_test.go

@@ -46,16 +46,9 @@ func TestDescribeRuntimeReturnsDeclaredAndEffectivePolicies(t *testing.T) {
 	}
 }
 
-func TestDescribeRuntimeReportsUnavailableBitwardenAsNotReady(t *testing.T) {
+func TestDescribeRuntimeDoesNotProbeBitwardenByDefault(t *testing.T) {
 	withBitwardenRunner(t, func(command string, stdin []byte, args ...string) ([]byte, error) {
-		switch {
+		return nil, errors.New("unexpected bitwarden invocation")
-		case len(args) == 1 && args[0] == "--version":
-			return []byte("2026.1.0\n"), nil
-		case len(args) == 1 && args[0] == "status":
-			return []byte(`{"status":"locked"}`), nil
-		default:
-			return nil, errors.New("unexpected bitwarden invocation")
-		}
 	})
 
 	desc, err := DescribeRuntime(DescribeRuntimeOptions{
@@ -80,14 +73,11 @@ func TestDescribeRuntimeReportsUnavailableBitwardenAsNotReady(t *testing.T) {
 	if desc.EffectivePolicy != BackendBitwardenCLI {
 		t.Fatalf("EffectivePolicy = %q, want %q", desc.EffectivePolicy, BackendBitwardenCLI)
 	}
-	if desc.Ready {
+	if !desc.Ready {
-		t.Fatalf("Ready = %v, want false", desc.Ready)
+		t.Fatalf("Ready = %v, want true without readiness probe", desc.Ready)
 	}
-	if !errors.Is(desc.ReadyError, ErrBWLocked) {
+	if desc.ReadyError != nil {
-		t.Fatalf("ReadyError = %v, want ErrBWLocked", desc.ReadyError)
+		t.Fatalf("ReadyError = %v, want nil without readiness probe", desc.ReadyError)
-	}
-	if !strings.Contains(desc.ReadyError.Error(), "set -x BW_SESSION (bw unlock --raw)") {
-		t.Fatalf("ReadyError = %v, want fish remediation", desc.ReadyError)
 	}
 }