#22846: Config: add secret ref schema and redaction foundations

## Summary - add SecretRef and secrets source schema foundations in config - allow SecretRef object shape in model provider apiKey schema - add googlechat serviceAccount sensitive registration and serviceAccountRef schema - harden redaction for sensitive serviceAccount object payloads - add schema + redaction tests for new behavior ## Testing - pnpm vitest src/config/config.secrets-schema.test.ts src/config/redact-snapshot.test.ts src/config/schema.hints.test.ts - pnpm tsgo (fails due unrelated existing repo issues) <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR establishes the foundation for secret management by introducing `SecretRef` types and redaction logic for sensitive configuration fields. **Key Changes:** - Added `SecretRef` schema with validation (allows environment variables or file-based secrets via SOPS) - Extended `apiKey` fields in model providers to accept `SecretRef` objects in addition to strings - Added `serviceAccount` and `serviceAccountRef` support for Google Chat integration - Enhanced redaction logic to handle object-valued sensitive fields (both whole-object and field-by-field redaction) - Comprehensive test coverage for schema validation and redaction behavior **Technical Implementation:** The redaction system now handles sensitive objects in two ways: fields ending with `serviceAccount` or `serviceAccountRef` are redacted as whole objects, while other sensitive fields (like `apiKey`) containing `SecretRef` objects have their individual properties redacted. This is achieved through the enhanced `isWholeObjectSensitivePath` check and `collectSensitiveStrings` helper function. The secret ref ID pattern `/^[A-Za-z0-9_./:=-](?:[A-Za-z0-9_./:=~-]{0,127})$/` enforces 1-128 character identifiers with specific allowed characters, preventing spaces and other problematic characters while supporting common patterns like environment variable names and JSON pointer paths. <h3>Confidence Score: 5/5</h3> - Safe to merge with high confidence - well-tested security-focused changes with clear implementation - The implementation is thorough with comprehensive test coverage for both schema validation and redaction behavior. The changes are additive (no breaking changes), security-focused (proper credential redaction), and include proper validation patterns. All new functionality is tested with both positive and negative test cases. - No files require special attention _{Last reviewed commit: 7a7d98d} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->