feat: replace profiles with kubernetes-style secrets

Replace the confused Profile abstraction with a dedicated Secret resource
following Kubernetes conventions. Servers now have env entries with inline
values or secretRef references. Env vars are resolved and passed to
containers at startup (fixes existing gap).

- Add Secret CRUD (model, repo, service, routes, CLI commands)
- Server env: {name, value} or {name, valueFrom: {secretRef: {name, key}}}
- Add env-resolver utility shared by instance startup and config generation
- Remove all profile-related code (models, services, routes, CLI, tests)
- Update backup/restore for secrets instead of profiles
- describe secret masks values by default, --show-values to reveal

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

examples/ha-mcp.yaml

@@ -11,12 +11,14 @@ servers:
       - "from ha_mcp.server import HomeAssistantSmartMCPServer; s = HomeAssistantSmartMCPServer(); s.mcp.run(transport='sse', host='0.0.0.0', port=3000)"
     # For connecting to an already-running instance (host.containers.internal for container-to-host):
     externalUrl: "http://host.containers.internal:8086/mcp"
-    envTemplate:
+    env:
       - name: HOMEASSISTANT_URL
-        description: "Home Assistant instance URL (e.g. https://ha.example.com)"
+        value: ""
       - name: HOMEASSISTANT_TOKEN
-        description: "Home Assistant long-lived access token"
-        isSecret: true
+        valueFrom:
+          secretRef:
+            name: ha-secrets
+            key: token
 
 profiles:
   - name: production