Implement secrets service with local encryption, redaction, and runtime resolution

Add AES-256-GCM local encrypted secrets provider with auto-generated
master key, stub providers for AWS/GCP/Vault, and a secrets service
that normalizes adapter configs (converting sensitive inline values to
secret refs in strict mode) and resolves secret refs back to plain
values at runtime. Extract redaction utilities from agent routes into
shared module. Redact sensitive values in activity logs, config
revisions, and approval payloads. Block rollback of revisions
containing redacted secrets. Filter hidden issues from list queries.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/redaction.ts

@@ -0,0 +1,59 @@
+const SECRET_PAYLOAD_KEY_RE =
+  /(api[-_]?key|access[-_]?token|auth(?:_?token)?|authorization|bearer|secret|passwd|password|credential|jwt|private[-_]?key|cookie|connectionstring)/i;
+const JWT_VALUE_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+(?:\.[A-Za-z0-9_-]+)?$/;
+export const REDACTED_EVENT_VALUE = "***REDACTED***";
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return false;
+  const proto = Object.getPrototypeOf(value);
+  return proto === Object.prototype || proto === null;
+}
+
+function sanitizeValue(value: unknown): unknown {
+  if (value === null || value === undefined) return value;
+  if (Array.isArray(value)) return value.map(sanitizeValue);
+  if (isSecretRefBinding(value)) return value;
+  if (isPlainBinding(value)) return { type: "plain", value: sanitizeValue(value.value) };
+  if (!isPlainObject(value)) return value;
+  return sanitizeRecord(value);
+}
+
+function isSecretRefBinding(value: unknown): value is { type: "secret_ref"; secretId: string; version?: unknown } {
+  if (!isPlainObject(value)) return false;
+  return value.type === "secret_ref" && typeof value.secretId === "string";
+}
+
+function isPlainBinding(value: unknown): value is { type: "plain"; value: unknown } {
+  if (!isPlainObject(value)) return false;
+  return value.type === "plain" && "value" in value;
+}
+
+export function sanitizeRecord(record: Record<string, unknown>): Record<string, unknown> {
+  const redacted: Record<string, unknown> = {};
+  for (const [key, value] of Object.entries(record)) {
+    if (SECRET_PAYLOAD_KEY_RE.test(key)) {
+      if (isSecretRefBinding(value)) {
+        redacted[key] = sanitizeValue(value);
+        continue;
+      }
+      if (isPlainBinding(value)) {
+        redacted[key] = { type: "plain", value: REDACTED_EVENT_VALUE };
+        continue;
+      }
+      redacted[key] = REDACTED_EVENT_VALUE;
+      continue;
+    }
+    if (typeof value === "string" && JWT_VALUE_RE.test(value)) {
+      redacted[key] = REDACTED_EVENT_VALUE;
+      continue;
+    }
+    redacted[key] = sanitizeValue(value);
+  }
+  return redacted;
+}
+
+export function redactEventPayload(payload: Record<string, unknown> | null): Record<string, unknown> | null {
+  if (!payload) return null;
+  if (!isPlainObject(payload)) return payload;
+  return sanitizeRecord(payload);
+}