fix(secrets): add secretKeys tracking to resolveEnvBindings for consistent redaction

resolveEnvBindings now returns { env, secretKeys } matching the pattern
already used by resolveAdapterConfigForRuntime, so any caller can redact
secret-sourced values by provenance rather than key-name heuristics alone.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/services/secrets.ts

@@ -308,10 +308,11 @@ export function secretService(db: Db) {
       return normalized;
     },
 
-    resolveEnvBindings: async (companyId: string, envValue: unknown) => {
+    resolveEnvBindings: async (companyId: string, envValue: unknown): Promise<{ env: Record<string, string>; secretKeys: Set<string> }> => {
       const record = asRecord(envValue);
-      if (!record) return {} as Record<string, string>;
+      if (!record) return { env: {} as Record<string, string>, secretKeys: new Set<string>() };
       const resolved: Record<string, string> = {};
+      const secretKeys = new Set<string>();
 
       for (const [key, rawBinding] of Object.entries(record)) {
         if (!ENV_KEY_RE.test(key)) {
@@ -326,9 +327,10 @@ export function secretService(db: Db) {
           resolved[key] = binding.value;
         } else {
           resolved[key] = await resolveSecretValue(companyId, binding.secretId, binding.version);
+          secretKeys.add(key);
         }
       }
-      return resolved;
+      return { env: resolved, secretKeys };
     },
 
     resolveAdapterConfigForRuntime: async (companyId: string, adapterConfig: Record<string, unknown>): Promise<{ config: Record<string, unknown>; secretKeys: Set<string> }> => {