[DEVT-2958] feat: resolve codefresh external secrets

[vigneshrajsb]

Summary

• Resolves external secret refs in Codefresh deploy and destroy environment variables before invoking Codefresh.
• Reuses the existing external-secret processor and waits for synced Kubernetes secrets before passing values to Codefresh.
• Shell-quotes Codefresh variable values so resolved secrets with apostrophes or shell-like content do not break command execution.
• Redacts secret-backed Codefresh variables from Lifecycle command logging and shell failure messages.
• Cleans up temporary Codefresh external-secret resources after destroy resolution so teardown does not leave regenerated secret resources behind.
• Adds coverage for deploy, destroy, nested object env values, no-secret behavior, missing provider config, missing synced secret keys, shell quoting, destroy cleanup, and destroy cleanup when Codefresh fails.

Validation

• corepack pnpm test -- src/server/lib/tests/cli.test.ts src/server/lib/tests/codefreshExternalSecrets.test.ts
• corepack pnpm exec eslint src/server/lib/cli.ts src/server/lib/shell.ts src/server/lib/codefreshExternalSecrets.ts src/server/lib/tests/cli.test.ts src/server/lib/tests/codefreshExternalSecrets.test.ts
• corepack pnpm exec tsc --project tsconfig.server.json --noEmit --pretty false
• corepack pnpm run lint
• corepack pnpm test -- --testPathIgnorePatterns=.claude/worktrees

Notes

• Raw secret values are not included in this PR description or tests.
• Full pnpm test without ignoring local .claude/worktrees is noisy in this workspace because Jest discovers duplicate checked-out worktrees; rerunning with that local directory ignored passed.
• pnpm run ts-check was attempted and is blocked by existing repo-wide type issues unrelated to this patch; the server typecheck listed above passes.