fix: connection upsert fails when updating rules on connection with destination auth

[leggetter]

Summary

hookdeck connection upsert has several issues when updating an existing connection that has destination authentication configured (e.g., AWS_SIGNATURE). These prevent basic operations like adding retry rules without re-specifying the full destination config.

Bugs

1. Upsert re-sends auth_type without credentials

When upserting an existing connection with only rule flags (no destination flags), the CLI rebuilds the destination config and includes auth_type from the existing destination, but without the auth credentials. The API then rejects the request:

destination.config.auth.access_key_id is required
destination.config.auth.secret_access_key is required

Expected: When no --destination-auth-method flag is passed, the upsert should either pass destination_id to reference the existing destination, or omit auth fields entirely.

2. --source-name requires --source-type on upsert

Passing --source-name without --source-type fails with:

both --source-name and --source-type are required for inline source creation

This is a client-side validation (validateSourceFlags() in connection_upsert.go:288) that applies create semantics to an upsert. On an existing connection, --source-name alone should be enough to reference the existing source.

3. --rule-retry-response-status-codes sent as string, not array

The flag value (e.g., "500,502,503,504") is passed directly as a string in the JSON payload, but the API expects an array of strings ["500", "502", "503", "504"].

Error code response_status_codes must be an array

See connection_create.go:985 where the raw string is assigned without parsing.

Reproduction

# Create a connection with AWS auth
hookdeck connection upsert my-conn \
  --source-name my-source --source-type WEBHOOK \
  --destination-name my-dest --destination-type HTTP \
  --destination-url https://example.com \
  --destination-auth-method aws \
  --destination-aws-access-key-id AKIAEXAMPLE \
  --destination-aws-secret-access-key secretkey \
  --destination-aws-region us-east-1 \
  --destination-aws-service lambda

# Try to add retry rules (fails with auth required error)
hookdeck connection upsert my-conn \
  --source-name my-source --source-type WEBHOOK \
  --destination-name my-dest --destination-type HTTP \
  --destination-url https://example.com \
  --rule-retry-strategy linear \
  --rule-retry-count 5 \
  --rule-retry-interval 60000

# Try with just names (fails with source-type required)
hookdeck connection upsert my-conn \
  --source-name my-source \
  --destination-name my-dest \
  --rule-retry-strategy linear \
  --rule-retry-count 5

Notes

• The underlying API works correctly with source_id/destination_id — the CLI should use these when upserting an existing connection without source/destination changes.
• The API's PUT /connections endpoint requires source/destination references but preserves existing auth config when destination_id is used.