#22858: Gateway: add eager secrets runtime snapshot activation

## Summary - add a new secrets runtime snapshot service that eagerly resolves `${ENV}` and `file+sops` SecretRefs - activate resolved secrets at gateway startup (fail-fast) and on config reload with last-known-good rollback on apply failures - add runtime in-memory snapshots for config + auth profiles so hot paths read resolved secrets without disk/sops/env provider calls - add auth-profile value-level refs (`keyRef`/`tokenRef`) with ref-over-plaintext precedence warnings ## What changed - new `src/secrets/runtime.ts` resolver/activation module - gateway startup/reload wiring in `src/gateway/server.impl.ts` - reload sequencing improvements in `src/gateway/config-reload.ts` (don’t advance current config on hot-reload failures) - runtime config snapshot hooks in `src/config/io.ts` (+ exports) - runtime auth-profile snapshot hooks in `src/agents/auth-profiles/store.ts` (+ exports) - model provider `apiKey` type widened to `SecretInput` and related call-sites adjusted - tests: `src/secrets/runtime.test.ts` ## Validation - `pnpm lint` - `pnpm vitest src/secrets/runtime.test.ts src/gateway/config-reload.test.ts src/agents/pi-auth-json.test.ts` - `pnpm vitest src/config/config.secrets-schema.test.ts` - `pnpm tsgo` (fails on pre-existing repo issues in `src/agents/google-gemini-switch.live.test.ts` and `src/discord/voice/manager.ts`) <!-- greptile_comment --> <h3>Greptile Summary</h3> Introduces eager secrets resolution with runtime snapshots for `${ENV}` and `file+sops` SecretRefs. The implementation activates resolved secrets at gateway startup with fail-fast validation, and on config reload with last-known-good rollback on failures. Auth-profile value-level refs (`keyRef`/`tokenRef`) are added with ref-over-plaintext precedence warnings. Config reload sequencing now advances `currentConfig` only after successful hot-reload application, preventing partial state updates on failures. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with minimal risk. - The implementation is well-structured with comprehensive error handling, fail-fast validation, and rollback mechanisms. The double activation issue from the previous thread has been fixed. Test coverage validates the core functionality. Minor risk remains around edge cases in JSON pointer handling and sops timeout scenarios. - No files require special attention _{Last reviewed commit: f814a5b} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->