Wire all secret callers to scoped and user providers

[amirejaz]

Summary

• All secret provider call sites were previously using the bare CreateSecretProvider, giving every caller access to the full flat keyspace. This PR wires each caller to the appropriate wrapper introduced in Phase 1 (Add scoped and user secret providers with system key isolation #4229), so secrets are isolated by design rather than by convention.
• System callers (workload auth tokens, registry OAuth credentials, build auth files) now use CreateScopedSecretProvider, writing and reading under the __thv_<scope>_ prefix. These keys are invisible to user-facing secret commands.
• User-facing callers (thv secret commands, REST API, MCP tool server, header secrets, build-env-from-secrets) now use CreateUserSecretProvider, which blocks access to any __thv_* reserved key.
• RunConfig.WithSecrets and ValidateSecrets now take separate systemProvider and userProvider arguments so auth-token resolution and --secret flag resolution use the correct scope independently.

This is Phase 3 of the scoped secret store (part of #4192), tracking issue #4227. It must be released together with Phase 4 (#4244 — migration infrastructure).

Release note: Both this PR and the migration PR (#4244) must be merged before releasing. Neither is a breaking change on its own when no release occurs between the two merges.

Type of change

• New feature (non-breaking change which adds functionality)

Test plan

• go build ./... — clean build
• go test ./pkg/runner/... ./pkg/auth/secrets/... ./pkg/workloads/... ./pkg/mcp/server/... — all pass
• golangci-lint run — 0 issues

Special notes for reviewers

The WithSecrets signature change (one provider → two providers) is the most structurally significant change. The split is:

• systemProvider — used for RemoteAuthConfig.ClientSecret, RemoteAuthConfig.BearerToken (both written by the workload auth subsystem under ScopeWorkloads)
• userProvider — used for c.Secrets (--secret flags) and HeaderForward.AddHeadersFromSecret (both user-specified key names)

config_buildauthfile.go gets its own getScopedWorkloadsSecretsManager() helper rather than reusing the user-facing getSecretsManager(), since build auth files are system-owned (stored by thv config buildauthfile set, not by thv secret set).

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 40.74074% with 64 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.63%. Comparing base (e69251a) to head (c53dbc8).

Files with missing lines	Patch %	Lines
pkg/migration/secret_scope.go	0.00%	32 Missing ⚠️
pkg/auth/secrets/secrets.go	0.00%	15 Missing ⚠️
pkg/runner/runner.go	0.00%	6 Missing ⚠️
pkg/runner/config.go	66.66%	2 Missing and 1 partial ⚠️
pkg/runner/protocol.go	0.00%	2 Missing ⚠️
pkg/workloads/manager.go	0.00%	2 Missing ⚠️
pkg/api/v1/secrets.go	0.00%	1 Missing ⚠️
pkg/mcp/server/list_secrets.go	0.00%	1 Missing ⚠️
pkg/mcp/server/set_secret.go	0.00%	1 Missing ⚠️
pkg/runner/env.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4343      +/-   ##
==========================================
- Coverage   69.64%   69.63%   -0.02%     
==========================================
  Files         491      493       +2     
  Lines       50304    50388      +84     
==========================================
+ Hits        35036    35088      +52     
- Misses      12580    12616      +36     
+ Partials     2688     2684       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[amirejaz]

Closing in favor of a new PR from the correct head branch (phase3-wire-callers). The new PR will show only wire callers changes without including migration commits.