refactor(repo): wrap credentials in SecretString to prevent leaks

[grainier]

Which issue does this PR close?

Closes #2728

Rationale

Passwords, tokens, and connection strings were stored as plain String, risking exposure via Debug, Display, logs, and error messages.

What changed?

Sensitive credential fields (passwords, PATs, connection URIs, API keys) were plain String values that could leak through derived Debug, log interpolation, or error formatting.

All such fields now use secrecy::SecretString, which redacts in Debug and requires explicit expose_secret() to access the inner value. Custom Debug impls were added for types that hold sensitive String fields not converted to SecretString (e.g., RawPersonalAccessToken, TokenInfo). A serde_secret helper module was added for fields that must be serialized over the wire.

Local Execution

• Passed except for segment_rotation_scenario test fails with "Too many open files" on macOS #2930. It was failing on fresh master as well.
• Pre-commit hooks ran.

All quality checks mentioned in CONTRIBUTING.md pass locally:

• cargo fmt --all
• cargo clippy --all-targets --all-features -- -D warnings
• cargo build
• cargo test
• cargo machete
• cargo sort --workspace
• typos

AI Usage

1. Claude Code (CLI)
2. Used to identify/verify all locations where String passwords/tokens needed conversion to SecretString, for documentation (i.e. core/common/src/utils/serde_secret.rs doc string), and commit review.
3. Verified by running all checks mentioned in CONTRIBUTING.md.
4. Yes.

[codecov]

Codecov Report

❌ Patch coverage is 75.67568% with 72 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.28%. Comparing base (3f651e0) to head (79253f7).

Files with missing lines	Patch %	Lines
...src/types/configuration/auth_config/credentials.rs	0.00%	12 Missing ⚠️
core/connectors/runtime/src/api/config.rs	0.00%	10 Missing ⚠️
core/common/src/utils/serde_secret.rs	42.85%	8 Missing ⚠️
core/common/src/types/user/user_identity_info.rs	0.00%	6 Missing ⚠️
core/sdk/src/quic/quic_client.rs	64.70%	5 Missing and 1 partial ⚠️
core/sdk/src/tcp/tcp_client.rs	64.70%	5 Missing and 1 partial ⚠️
...mon/src/types/permissions/personal_access_token.rs	0.00%	5 Missing ⚠️
core/cli/src/credentials.rs	85.71%	1 Missing and 2 partials ⚠️
...pes/configuration/auth_config/connection_string.rs	81.25%	3 Missing ⚠️
core/sdk/src/client_provider.rs	0.00%	3 Missing ⚠️
... and 5 more

Additional details and impacted files

@@            Coverage Diff             @@
##             master    #2931    +/-   ##
==========================================
  Coverage     70.27%   70.28%            
  Complexity      862      862            
==========================================
  Files          1028     1032     +4     
  Lines         85279    85422   +143     
  Branches      62656    62808   +152     
==========================================
+ Hits          59932    60037   +105     
- Misses        22833    22864    +31     
- Partials       2514     2521     +7     

Flag	Coverage Δ
csharp	67.43% <ø> (-0.19%)	⬇️
go	36.37% <ø> (ø)
java	59.87% <ø> (ø)
node	91.37% <ø> (-0.15%)	⬇️
python	81.43% <ø> (ø)
rust	70.68% <75.67%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...inary_protocol/src/cli/binary_users/create_user.rs	86.95% <100.00%> (ø)
...ol/src/client/binary_personal_access_tokens/mod.rs	100.00% <ø> (ø)
...ore/binary_protocol/src/client/binary_users/mod.rs	100.00% <ø> (ø)
core/common/src/commands/users/change_password.rs	95.03% <100.00%> (+2.72%)	⬆️
core/common/src/commands/users/create_user.rs	91.11% <100.00%> (+1.94%)	⬆️
core/common/src/commands/users/login_user.rs	94.09% <100.00%> (+1.42%)	⬆️
core/connectors/runtime/src/api/auth.rs	100.00% <100.00%> (ø)
core/connectors/runtime/src/context.rs	89.47% <100.00%> (ø)
core/connectors/sinks/mongodb_sink/src/lib.rs	87.05% <100.00%> (ø)
core/connectors/sinks/postgres_sink/src/lib.rs	87.30% <100.00%> (ø)
... and 28 more

... and 16 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hubcio]

any reason why this is still plain String while RuntimeContext.api_key is SecretString?

[hubcio]

critical issue: you overidden debug, but users of this token can still leak this via Display, Serialize or cloning into log contexts

same issue in RawPersonalAccessToken.token

[hubcio]

preexisting issue: if anyone logs UserState with {:?}, the bcrypt/argon2 hash leaks. The Display impl is safe (doesn't include it), but Debug is not.

[hubcio]

please test this

[hubcio]

cant you just use SecretString::from(password)? SecretString implements From<&str>