feat: add secret settings manager and migration for legacy settings

- Implemented SecretSettingsManager to handle secret settings with encryption.
- Added functionality to migrate legacy plaintext settings into encrypted storage.
- Introduced methods for setting, getting, and clearing secret settings.
- Created tests for verifying the migration and canonicalization of secret settings.
- Updated app state to handle service updates via socket communication.
- Added interface for push service updates to manage service state changes.

ts/cli.ts

@@ -382,7 +382,17 @@ async function handleSystemdCommand(subcommand: string, _args: string[]) {
 async function handleConfigCommand(onebox: Onebox, subcommand: string, args: string[]) {
   switch (subcommand) {
     case 'show': {
+      for (const secretKey of onebox.database.getCanonicalSecretSettingKeys()) {
+        await onebox.database.getSecretSetting(secretKey);
+      }
+
       const settings = onebox.database.getAllSettings();
+      for (const secretKey of onebox.database.getCanonicalSecretSettingKeys()) {
+        if (await onebox.database.hasSecretSetting(secretKey)) {
+          settings[secretKey] = '********';
+        }
+      }
+
       logger.table(
         ['Key', 'Value'],
         Object.entries(settings).map(([k, v]) => [k, v])
@@ -391,7 +401,11 @@ async function handleConfigCommand(onebox: Onebox, subcommand: string, args: str
     }
 
     case 'set':
-      onebox.database.setSetting(args[0], args[1]);
+      if (onebox.database.isSecretSettingKey(args[0])) {
+        await onebox.database.setSecretSetting(args[0], args[1]);
+      } else {
+        onebox.database.setSetting(args[0], args[1]);
+      }
       logger.success(`Setting ${args[0]} updated`);
       break;