refactor(registry): require SecretBackend on from_configs_with_models

[Destynova2]

Summary

ProviderRegistry::from_configs_with_models previously took raw &[ProviderConfig] and trusted callers to invoke storage::secrets::resolve_provider_secrets first. That trust failed three times in three months — once per reload path:

• PR fix(validate): resolve secret: and $ENV placeholders before testing providers #280: preset::build_registry (CLI grob validate)
• PR fix(reload): apply secret resolution on every reload path #284: server::config_guard::reload_state (PUT /api/config)
• PR fix(reload): apply secret resolution on every reload path #284: server::config_api::reload_config (POST /api/config/reload)
• PR fix(reload): apply secret resolution on every reload path #284: server::rpc::server_ns::reload_config (JSON-RPC server/reload)

The bug repeated because the API made it optional to do the right thing. The fix: make secret resolution mandatory at the type level.

What changes

Add secret_backend: &dyn SecretBackend as a required parameter. Apply resolve_provider_secrets internally before building any provider. Every caller now compiles only if it supplies a backend; every backend it supplies will be exercised by the resolver.

// Before (3+ buggy callsites in the wild)
ProviderRegistry::from_configs_with_models(&config.providers, token, &models, &timeouts)

// After (compiler-enforced correctness)
ProviderRegistry::from_configs_with_models(
    &config.providers,
    secret_backend.as_ref(),  // ← mandatory
    token,
    &models,
    &timeouts,
)

Diff summary

File	Change
src/providers/registry.rs	New required parameter + internal resolve_provider_secrets call
src/server/init.rs	Removed redundant explicit resolve call (now internal)
src/preset/validation.rs	Removed redundant explicit resolve call (PR #280 step)
src/server/config_guard.rs	Pass backend, drop the explicit resolve step (PR #284 fix becomes free)
src/server/config_api.rs	Same
src/server/rpc/server_ns.rs	Same
src/providers/registry.rs::tests	Test fixture passes EnvBackend (no-op for literal keys)

Regression test

Added from_configs_routes_resolution_through_backend. It uses a CountingBackend whose get is asserted to be called exactly once for a single secret:-prefixed provider. A future caller that compiles but somehow bypasses resolution would surface as a zero-call counter even before reaching production — closing the loop the unit tests on resolve_provider_secrets left open.

Why no broader test was needed

The unit tests on resolve_provider_secrets already cover the resolution logic itself (4 tests: secret prefix, unknown name, plain string passthrough, missing api_key). The new regression test covers the integration between the resolver and the registry constructor. Together with the type-level enforcement, the bug class is closed.

Test plan

• cargo check --all-features clean
• cargo nextest run --all-features — 1231 tests, 1231 passed
• cargo nextest run -E 'test(from_configs)' — 1/1 (new regression test)
• cargo fmt --all -- --check clean
• cargo clippy -- -D warnings clean
• CI: full nextest + clippy + fmt + audit + deny

Relationship to PRs #280 and #284

This refactor subsumes the per-callsite fixes in PR #280 and PR #284. If they merge first, this PR removes the now-redundant explicit resolve_provider_secrets calls (the resolution moves into from_configs_with_models). If this PR merges first, those PRs become no-ops on the affected lines (the type signature change forces correctness).

Either ordering works without conflict.

🤖 Generated with Claude Code