fix: Obfuscate home directory paths in vendor list output

Prevent leaking user home directory paths in `atmos list vendor` output
by replacing them with `~` before printing.

Security improvement that follows the existing pattern from auth_whoami.go.

Changes:
- Added obfuscateHomeDirInOutput() helper function
- Applied obfuscation before printing vendor list output
- Added comprehensive unit tests with 5 test cases

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: Claude (via Conductor)

cmd/list/vendor.go

@@ -2,11 +2,14 @@ package list
 
 import (
 	"fmt"
+	"os"
+	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
 	"github.com/cloudposse/atmos/pkg/config"
+	"github.com/cloudposse/atmos/pkg/config/homedir"
 	"github.com/cloudposse/atmos/pkg/flags"
 	"github.com/cloudposse/atmos/pkg/flags/global"
 	l "github.com/cloudposse/atmos/pkg/list"
@@ -52,7 +55,9 @@ var vendorCmd = &cobra.Command{
 			return err
 		}
 
-		fmt.Println(output)
+		// Obfuscate home directory paths before printing.
+		obfuscatedOutput := obfuscateHomeDirInOutput(output)
+		fmt.Println(obfuscatedOutput)
 		return nil
 	},
 }
@@ -95,3 +100,18 @@ func listVendorWithOptions(opts *VendorOptions) (string, error) {
 
 	return l.FilterAndListVendor(&atmosConfig, options)
 }
+
+// obfuscateHomeDirInOutput replaces occurrences of the home directory with "~" to prevent leaking user paths.
+func obfuscateHomeDirInOutput(output string) string {
+	homeDir, err := homedir.Dir()
+	if err != nil || homeDir == "" {
+		return output
+	}
+
+	// Replace home directory with tilde at the start of paths.
+	// Handle both absolute paths and paths with path separator.
+	result := strings.ReplaceAll(output, homeDir+string(os.PathSeparator), "~"+string(os.PathSeparator))
+	result = strings.ReplaceAll(result, homeDir, "~")
+
+	return result
+}

cmd/list/vendor_test.go

@@ -1,6 +1,10 @@
 package list
 
 import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
 	"testing"
 )
 
@@ -13,3 +17,64 @@ func TestListVendorCmd_WithoutStacks(t *testing.T) {
 	// No runtime test needed - this is enforced by code structure.
 	t.Log("list vendor command uses InitCliConfig with processStacks=false")
 }
+
+// TestObfuscateHomeDirInOutput verifies that home directory paths are properly obfuscated.
+func TestObfuscateHomeDirInOutput(t *testing.T) {
+	// Determine expected home directory.
+	homeDir := os.Getenv("HOME")
+	if runtime.GOOS == "windows" {
+		if userProfile := os.Getenv("USERPROFILE"); userProfile != "" {
+			homeDir = userProfile
+		}
+	}
+
+	if homeDir == "" {
+		t.Skip("Could not determine home directory for test")
+	}
+
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "absolute path with home directory",
+			input:    filepath.Join(homeDir, "path", "to", "file"),
+			expected: filepath.Join("~", "path", "to", "file"),
+		},
+		{
+			name:     "home directory only",
+			input:    homeDir,
+			expected: "~",
+		},
+		{
+			name:     "path without home directory",
+			input:    "/var/lib/atmos/vendor",
+			expected: "/var/lib/atmos/vendor",
+		},
+		{
+			name:     "mixed content with home directory",
+			input:    "Component: vpc\nManifest: " + filepath.Join(homeDir, ".atmos", "vendor.yaml"),
+			expected: "Component: vpc\nManifest: " + filepath.Join("~", ".atmos", "vendor.yaml"),
+		},
+		{
+			name:     "multiple occurrences of home directory",
+			input:    homeDir + "/path1 and " + homeDir + "/path2",
+			expected: "~/path1 and ~/path2",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := obfuscateHomeDirInOutput(tt.input)
+			if result != tt.expected {
+				t.Errorf("obfuscateHomeDirInOutput() = %q, want %q", result, tt.expected)
+			}
+
+			// Verify home directory is not present in output.
+			if strings.Contains(result, homeDir) {
+				t.Errorf("obfuscateHomeDirInOutput() still contains home directory: %q", result)
+			}
+		})
+	}
+}