feat: replace profiles with kubernetes-style secrets

Replace the confused Profile abstraction with a dedicated Secret resource
following Kubernetes conventions. Servers now have env entries with inline
values or secretRef references. Env vars are resolved and passed to
containers at startup (fixes existing gap).

- Add Secret CRUD (model, repo, service, routes, CLI commands)
- Server env: {name, value} or {name, valueFrom: {secretRef: {name, key}}}
- Add env-resolver utility shared by instance startup and config generation
- Remove all profile-related code (models, services, routes, CLI, tests)
- Update backup/restore for secrets instead of profiles
- describe secret masks values by default, --show-values to reveal

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/cli/tests/commands/edit.test.ts

@@ -150,31 +150,4 @@ describe('edit command', () => {
     expect(output.join('\n')).toContain('immutable');
   });
 
-  it('edits a profile', async () => {
-    vi.mocked(client.get).mockImplementation(async (path: string) => {
-      if (path === '/api/v1/profiles') return [{ id: 'prof-1', name: 'production' }];
-      return {
-        id: 'prof-1', name: 'production', serverId: 'srv-1',
-        permissions: ['read'], envOverrides: { FOO: 'bar' },
-        createdAt: '2025-01-01', updatedAt: '2025-01-01', version: 1,
-      };
-    });
-
-    const cmd = createEditCommand({
-      client,
-      log,
-      getEditor: () => 'vi',
-      openEditor: (filePath) => {
-        const content = readFileSync(filePath, 'utf-8');
-        const modified = content.replace('FOO: bar', 'FOO: baz');
-        writeFileSync(filePath, modified, 'utf-8');
-      },
-    });
-
-    await cmd.parseAsync(['profile', 'production'], { from: 'user' });
-
-    expect(client.put).toHaveBeenCalledWith('/api/v1/profiles/prof-1', expect.objectContaining({
-      envOverrides: { FOO: 'baz' },
-    }));
-  });
 });