feat(secrets): add secrets resolution to SettingsParameters

[discreteds]

Summary

• Adds transparent secret: prefix resolution to SettingsParameters via a pluggable resolver registry
• New secrets_provider structural parameter on SettingsParameters controls whether and how secrets are resolved
• Resolution fires at three interception points: kwargs before construction, instance fields after construction, and runtime overrides on cache hits
• Write-once registry prevents silent resolver replacement; explicit replace_secrets_resolver() and clear_secrets_registry() for controlled use

Changes

• New module: src/mountainash_settings/secrets/ — registry, dict-walker, instance-walker
• SettingsParameters: new secrets_provider field (structural, in hash/eq/merge/create/to_dict)
• MountainAshBaseSettings: kwargs pre-resolution + post-construction instance resolution + bookkeeping
• Exports: SecretsResolver, register_secrets_resolver, get_secrets_resolver, replace_secrets_resolver, clear_secrets_registry

Design decisions

• secrets_provider is structural (affects cache key) because different providers produce different field values
• No SecretsResolvingSource wrapper — post-construction resolution avoids class-level model_config bleed (per adversarial review)
• Registry is write-once per provider; ValueError on duplicate registration
• Secret caching/TTL deferred to resolver implementations

Test plan

• Registry: register, get, duplicate raises ValueError, replace, clear (6 tests)
• Dict resolver: flat, nested, non-string passthrough, custom prefix, immutability (7 tests)
• Instance resolver: string fields, SecretStr fields, skips non-string, skips bookkeeping (5 tests)
• SettingsParameters: hash/eq/create/merge/to_dict with secrets_provider (10 tests)
• Integration: kwargs resolution, config file resolution, no-provider literal, cache-hit override (4 tests)
• Public API smoke test
• Full suite: 413 passed, ruff clean, no new mypy errors

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[codecov]

Codecov Report

❌ Patch coverage is 95.77465% with 3 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (develop@2acb1f1). Learn more about missing BASE report.
⚠️ Report is 9 commits behind head on develop.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/mountainash_settings/secrets/resolve.py	90.32%	1 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             develop      #40   +/-   ##
==========================================
  Coverage           ?   96.90%           
==========================================
  Files              ?       36           
  Lines              ?      938           
  Branches           ?      123           
==========================================
  Hits               ?      909           
  Misses             ?       16           
  Partials           ?       13           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.