Secret masking

Secret masking runs when DevAware OS inspects a project. Environment files are listed, but values that look like secrets are masked, so an API key or token is not pulled into a prompt or shown in the interface.

Masking is part of compiling a clean prompt: the model should receive the scope and structure it needs, not the credentials. Provider keys the user adds are stored encrypted in the OS keychain and never reach the renderer.