Add post-apply reminder about install.conf secrets

[dcellison]

Summary

Add a reminder after successful make install that install.conf contains secrets and can be safely deleted now that they are in /etc/kai/env.

The file is already 0600 and gitignored, so the risk is low. But keeping unnecessary copies of secrets is bad hygiene, and the user may not realize install.conf still contains them. The reminder is informational only - no auto-deletion.

Changes

Change	Detail
Post-apply message	Prints note about install.conf secrets with deletion guidance
INSTALL_CONF.exists() guard	Only prints if the file exists
Dry run excluded	Reminder is in the non-dry-run branch
Test assertion	Dry run test verifies "contains secrets" does NOT appear

Test plan

• Dry run test confirms reminder does not print
• All 1135 tests pass, make check clean
• Manual: run sudo make install and verify the reminder appears

Fixes #165

[dcellison]

Review by Kai

Overall: Clean PR. Two minor suggestions.

---

suggestion — install.py (new lines +9–14): No positive-path test

The test only asserts the reminder doesn't appear in dry run. There's no test asserting it does appear when INSTALL_CONF.exists() is true after a successful apply. The happy path is untested by automated tests (marked as manual-only). Not a blocker, but worth noting since the logic branches on INSTALL_CONF.exists().

---

suggestion — install.py +11: Secrets enumeration in output

f"\nNote: {INSTALL_CONF} contains secrets (bot token, webhook secret)."

Naming the specific secret types in terminal output is a minor information-disclosure concern — anyone with access to terminal history or logs now knows exactly what credentials to look for if they can get the file. The message is still useful without the parenthetical. Consider:

f"\nNote: {INSTALL_CONF} contains secrets."

---

No bugs, no logic errors, no injection or auth issues. The INSTALL_CONF.exists() guard is correct, the dry-run exclusion is correct, and the no-auto-delete rationale is sound.