feat(secrets): system secrets management (#1417)

[mrveiss]

Summary

• Add SystemSecret model with AES-256-GCM encrypted value storage
• Add admin-only CRUD API at /api/secrets (values never returned in list/get responses)
• Add /api/secrets/{key}/value endpoint for fleet provisioning (admin-only decryption)
• Add SecretsSettings.vue admin page in Settings > Secrets with create/update/delete UI
• Add useSecretsApi composable for frontend API integration
• Three secret categories: System, API Token, Service

Architecture

• Values encrypted at rest using existing services/encryption.py (AES-256-GCM + PBKDF2)
• Secret values are never returned in list/detail responses — only metadata
• Decrypted values only accessible via explicit /value endpoint
• Admin-only access enforced on all endpoints

Test Plan

• Create secret via admin UI at /settings/admin/secrets
• Verify secret appears in list (value not shown)
• Update secret value
• Delete secret
• Verify non-admin users cannot access /api/secrets

Closes #1417

[github-actions]

⚠️ SSOT Configuration Compliance: Violations Found

Metric	Count
Total Violations	371
SSOT Violations (high priority)	286
Other Violations	85

⚠️ 286 values have SSOT config equivalents!

These should be replaced with SSOT config imports:

Python:

from src.config.ssot_config import config
# Use: config.vm.main, config.port.backend, config.backend_url

TypeScript:

import config from '@/config/ssot-config'
// Use: config.vm.main, config.port.backend, config.backendUrl

📖 See SSOT_CONFIG_GUIDE.md for documentation.