[Security] Provider API credentials (api_key, api_secret) returned in plaintext via GET /api/providers

## Description
The `GET /api/providers` endpoint returns full Twilio/Telnyx credentials in plaintext:

```json
{
  "providers": [{
    "type": "twilio",
    "api_key": "AC1234567890...",
    "api_secret": "auth_token_here..."
  }]
}
```

## Impact
- Any XSS vulnerability or browser extension can steal SMS provider credentials
- Credentials should never be sent to the frontend — they're only needed server-side for sending SMS
- Stolen credentials allow sending SMS as the user, reading SMS history, and more

## Fix
Mask credentials in API responses:
```typescript
const masked = data.map(p => ({
  ...p,
  api_key: p.api_key.slice(0, 8) + '••••••••',
  api_secret: '••••••••'
}));
```

Or better: don't return credentials at all in GET responses. Only accept them on POST.

## Severity
🔴 High — credential exposure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Provider API credentials (api_key, api_secret) returned in plaintext via GET /api/providers #28

Description

Impact

Fix

Severity

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security] Provider API credentials (api_key, api_secret) returned in plaintext via GET /api/providers #28

Description

Description

Impact

Fix

Severity

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions