@swamp/digitalocean/space-key stores secret in plaintext - should mark as sensitive

Description

The @swamp/digitalocean/space-key extension model does not mark the secret field as sensitive in its ResourceSchema. When a Spaces key is created via the DigitalOcean API, the response includes both access_key and secret. The secret field is not declared in the schema and passes through via .passthrough(), resulting in it being stored in plaintext in the .swamp/ data directory.

Steps to reproduce

1. Create a space-key model: swamp model create @swamp/digitalocean/space-key my-key --global-arg name=test-key
2. Run the create method: swamp model method run my-key create
3. Inspect the persisted data in .swamp/data/ — the secret field is stored in plaintext

Expected behavior

The secret field should be:

1. Explicitly declared in the ResourceSchema (not relying on .passthrough())
2. Marked with z.meta({ sensitive: true }) so it is auto-vaulted
3. Replaced with a ${{ vault.get(...) }} reference in the persisted data

Suggested fix

In space_key.ts, update the ResourceSchema to explicitly include the secret field with sensitive metadata:

const ResourceSchema = z.object({
  name: z.string().optional(),
  grants: z.array(z.object({
    bucket: z.string().optional(),
    permission: z.string().optional(),
  })).optional(),
  access_key: z.string().optional(),
  secret: z.string().meta({ sensitive: true }).optional(),
  created_at: z.string().optional(),
}).passthrough();

Environment

• swamp version: 20260401.170720.0-sha.ac267ac9
• Extension: @swamp/digitalocean v2026.03.31.1

Automoved by swampadmin from GitHub issue #29