feat: add secret types

[rohan-chaturvedi]

Summary

• Adds a type field to secrets with three options: Secret (default), Sealed, and Config
• Sealed secrets have their values redacted server-side — once saved, the plaintext is never returned to the client, the value cannot be revealed or edited, and the type cannot be changed
• Config variables are non-sensitive values that are revealed by default and skip masking in the UI
• Full UX support across both the single-environment editor and the cross-environment editor, including an animated TypeSelector toggle, type badges, and creation via SplitButton dropdown

Changes

Backend

• Migration (0118_secret_type_field.py): Adds type CharField with choices secret, sealed, config (default: secret)
• Model (models.py): SecretTypeChoices enum and type field on Secret
• API views (views/secrets.py): resolve_value returns empty string for sealed secrets so ciphertext is never sent to the client
• GraphQL (types.py, mutations/environment.py): Exposes type on SecretType, accepts type in SecretInput for create/update mutations

Frontend

• TypeSelector (TypeSelector.tsx): New animated segmented toggle component with sliding indicator that transitions between Secret/Sealed/Config states
• Single-env editor (page.tsx, SecretRow.tsx): Type selector in key action menu, type badges, sealed enforcement (locked value, blocked reveal, disabled editing), config auto-reveal, type included in save mutation and unsaved changes detection
• Cross-env editor (AppSecrets.tsx, AppSecretRow.tsx): Type selector propagates changes to all environment values, type badges, sealed/config behavior per-env, SplitButton for creating Config and Sealed secrets, "Add value" inherits type from sibling env secrets
• Decryption (environments.ts): Skips decryptAsymmetric for sealed secrets (server returns empty string, not valid ciphertext)
• GraphQL queries (getSecrets.gql, getAppSecrets.gql): Added type field
• Memo comparators: Updated areAppSecretRowEqual, areEnvSecretEqual to include type so React re-renders on type changes

Key design decisions

• isSealedAndSaved checks the server type (not client type), so users can freely toggle types before saving — the seal only locks once persisted
• Sealed enforcement is server-side: resolve_value strips the ciphertext, so even if the client is compromised, sealed values cannot be exfiltrated

Preview

Screencast.From.2026-03-11.13-18-45.mp4

Test plan

• Create a new secret with default type — verify it saves and behaves as before
• Create a sealed secret — verify value is editable before first save, then locked after save (cannot reveal, edit, or change type)
• Create a config variable — verify value is revealed by default and not masked
• Toggle a secret's type before saving — verify TypeSelector animates, amber highlight appears, discard restores original type
• In cross-env editor: toggle type — verify it propagates to all environments
• In cross-env editor: use "Add value" on a sealed secret's missing env — verify the new value inherits the sealed type
• Verify sealed secrets return empty values from the API (no ciphertext leakage)