fix: validate cross-app secret refs against empty target envs

[rohan-chaturvedi]

Summary

Fixes a false negative in validateSecretReferences where cross-app references like ${app::env.MISSING_KEY} were not flagged as broken when the target env's decrypted key list was empty.

Root cause

The cross-app key check was guarded by crossAppEnvKeys.length > 0 &&, which silently skipped validation whenever the target env's key list was []. That conflated two distinct cases:

• No decrypt access — useOrgSecretKeys set the entry to [] as a fallback when env-key unwrap threw.
• Env genuinely has zero secrets — list is legitimately [].

The second case meant any ${app::env.X} ref against an empty env passed validation, even though the key clearly doesn't exist.

Fix

• frontend/hooks/useOrgSecretKeys.ts: on unwrap failure, leave envSecretKeys[env] undefined instead of []. This lets validation distinguish "no visibility" from "empty env".
• frontend/utils/secretReferences.ts: cross-app key check now uses crossAppEnvKeys !== undefined instead of length > 0. Undefined → skip (we can't see the keys); defined (including []) → strict check.

Test plan

• Existing validateSecretReferences tests still pass (82 → 84 with new cases)
• New regression test: empty target env flags any cross-app key ref as broken
• New regression test: no-access target env skips cross-app key validation
• tsc --noEmit clean
• Manual: write ${OtherApp::env.NONEXISTENT} against an env with secrets and confirm warning fires
• Manual: confirm cross-app refs to envs you can't decrypt still don't false-positive