Secrets Encryption at Rest

Sensitive fields stored inside JSONB config blobs are now encrypted at rest before they hit the database. The SecretFieldService handles seal and unseal transparently across surface credentials, agent auth, and webhook secrets, with backward-compatible reads for older plaintext records.

This hardens the platform against backup leaks and database exposure without changing the customer-facing API shape.