Implement secrets service with local encryption, redaction, and runtime resolution

Add AES-256-GCM local encrypted secrets provider with auto-generated
master key, stub providers for AWS/GCP/Vault, and a secrets service
that normalizes adapter configs (converting sensitive inline values to
secret refs in strict mode) and resolves secret refs back to plain
values at runtime. Extract redaction utilities from agent routes into
shared module. Redact sensitive values in activity logs, config
revisions, and approval payloads. Block rollback of revisions
containing redacted secrets. Filter hidden issues from list queries.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/secrets/provider-registry.ts

@@ -0,0 +1,30 @@
+import type { SecretProvider, SecretProviderDescriptor } from "@paperclip/shared";
+import { localEncryptedProvider } from "./local-encrypted-provider.js";
+import {
+  awsSecretsManagerProvider,
+  gcpSecretManagerProvider,
+  vaultProvider,
+} from "./external-stub-providers.js";
+import type { SecretProviderModule } from "./types.js";
+import { unprocessable } from "../errors.js";
+
+const providers: SecretProviderModule[] = [
+  localEncryptedProvider,
+  awsSecretsManagerProvider,
+  gcpSecretManagerProvider,
+  vaultProvider,
+];
+
+const providerById = new Map<SecretProvider, SecretProviderModule>(
+  providers.map((provider) => [provider.id, provider]),
+);
+
+export function getSecretProvider(id: SecretProvider): SecretProviderModule {
+  const provider = providerById.get(id);
+  if (!provider) throw unprocessable(`Unsupported secret provider: ${id}`);
+  return provider;
+}
+
+export function listSecretProviders(): SecretProviderDescriptor[] {
+  return providers.map((provider) => provider.descriptor);
+}