feat: replace profiles with kubernetes-style secrets

Replace the confused Profile abstraction with a dedicated Secret resource
following Kubernetes conventions. Servers now have env entries with inline
values or secretRef references. Env vars are resolved and passed to
containers at startup (fixes existing gap).

- Add Secret CRUD (model, repo, service, routes, CLI commands)
- Server env: {name, value} or {name, valueFrom: {secretRef: {name, key}}}
- Add env-resolver utility shared by instance startup and config generation
- Remove all profile-related code (models, services, routes, CLI, tests)
- Update backup/restore for secrets instead of profiles
- describe secret masks values by default, --show-values to reveal

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/db/tests/seed.test.ts

@@ -41,13 +41,11 @@ describe('seedMcpServers', () => {
     expect(servers).toHaveLength(defaultServers.length);
   });
 
-  it('seeds envTemplate correctly', async () => {
+  it('seeds env correctly', async () => {
     await seedMcpServers(prisma);
     const slack = await prisma.mcpServer.findUnique({ where: { name: 'slack' } });
-    const envTemplate = slack!.envTemplate as Array<{ name: string; isSecret: boolean }>;
-    expect(envTemplate).toHaveLength(2);
-    expect(envTemplate[0].name).toBe('SLACK_BOT_TOKEN');
-    expect(envTemplate[0].isSecret).toBe(true);
+    const env = slack!.env as Array<{ name: string; value?: string }>;
+    expect(env).toEqual([]);
   });
 
   it('accepts custom server list', async () => {
@@ -58,7 +56,7 @@ describe('seedMcpServers', () => {
         packageName: '@test/custom',
         transport: 'STDIO' as const,
         repositoryUrl: 'https://example.com',
-        envTemplate: [],
+        env: [],
       },
     ];
     const count = await seedMcpServers(prisma, custom);