Omnibus v1.1.0-beta.066

v1.1.0-beta.066 - fix(security): decrypt enc:v2 secret settings on read (ComicVine/Prowlarr/etc. keys broken since beta.058)

🔓 Secret settings saved after the GCM migration weren't decrypting on read

• beta.058 moved encryptSecret to AES-256-GCM (enc:v2:), but the read-side auto-decrypt extension in db.ts and the db-init boot-migration guards still only recognized enc:v1: (CBC). So every secret SystemSetting saved since — cv_api_key, prowlarr_key, metron_pass, smtp_pass, oidc_client_secret, pushover_token, telegram_bot_token, apprise_url — was stored as enc:v2: and handed to consumers as the raw encrypted blob. On a fresh database (all values v2) the ComicVine key (and the rest) simply never worked; on an existing install, re-saving any secret broke it too. decryptSecret already handled both formats — only these prefix gates were missed.
• db.ts: the decrypt-on-read extension now decrypts any enc:-prefixed secret-key value (enc:v1: CBC + enc:v2: GCM).
• db-init.ts: the boot-time encrypt-at-rest guards (download-client/hoster creds + SystemSetting secrets) now skip enc:v1:/enc:v2:, so v2 values aren't needlessly re-written every boot.

🧪 Tests

• db: new decryptSettingRow tests — decrypts v2 + v1 secret-key values, passes plaintext / non-secret keys through, and returns the row unchanged on a decrypt failure.

✅ Verification

• tsc clean; eslint . 0 errors; vitest 288 passed (+6)