fix(secrets): describe --show-values resolves through the backend driver

Post-migration, every Secret on a non-plaintext backend has empty `Secret.data`
(the actual value lives in the backend; only externalRef is on the row).
`describe secret --show-values` was reading the raw row, so the user saw
"Data: (empty)" for every migrated secret.

- Route GET /api/v1/secrets/:id accepts ?reveal=true; when set, resolves the
  value via SecretService.resolveData() so the response carries the actual
  data dispatched through the right driver.
- CLI --show-values flips that query param. Without --show-values the route
  returns the raw row exactly as before (no leak risk).

Caught running the wizard end-to-end on the live cluster after the
ClusterMesh fix on the kubernetes-deployment side made bao reachable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/cli/src/commands/describe.ts

@@ -928,7 +928,15 @@ export function createDescribeCommand(deps: DescribeCommandDeps): Command {
         }
       }
 
-      const item = await deps.fetchResource(resource, id) as Record<string, unknown>;
+      let item: Record<string, unknown>;
+      if (resource === 'secrets' && opts.showValues === true) {
+        // --show-values needs the resolved data (the raw row's `data` is
+        // empty for non-plaintext backends — values live in the backend).
+        // Use ?reveal=true so mcpd dispatches through the backing driver.
+        item = await deps.client.get<Record<string, unknown>>(`/api/v1/secrets/${id}?reveal=true`);
+      } else {
+        item = await deps.fetchResource(resource, id) as Record<string, unknown>;
+      }
 
       // Enrich instances with container inspect data
       let inspect: Record<string, unknown> | undefined;