Bump `secrecy` from 0.8.0 to 0.10 across the workspace — 3 years of maintenance skipped

[ooloth]

Current state

secrecy is pinned at 0.8.0 (released 2021) in four workspace crates. The current stable release is 0.10.3 (October 2024), meaning three years of fixes and API evolution are not applied. secrecy wraps credentials throughout the codebase via Secret<String> — it is the primary mechanism by which API tokens and passwords are protected in memory. Running on a version that has not received three years of security-focused maintenance is an unexamined risk given the sensitivity of what the type protects.

Ideal state

• All four crates pin secrecy = "0.10"
• Cargo.lock resolves secrecy to 0.10.3 or later
• cargo check passes with no errors after the upgrade
• just test passes with no regressions

Starting points

• config/Cargo.toml — secrecy = "0.8" (line 9)
• domain/Cargo.toml — secrecy = "0.8" (line 9)
• workflows/Cargo.toml — secrecy = "0.8" (line 14)
• ui/tui/Cargo.toml — secrecy = "0.8" (line 34)

QA plan

1. Bump all four crates to secrecy = "0.10" and run cargo update secrecy from the workspace root — expect the command to complete without error
2. Run cargo check from the workspace root — expect no compilation errors; fix any breaking API changes introduced between 0.8 and 0.10
3. Run just test — expect no test regressions
4. Confirm Cargo.lock contains name = "secrecy" with version = "0.10.x" or later

Done when

All four workspace crates declare secrecy = "0.10", cargo check passes clean, and Cargo.lock reflects the bumped version.