Add factory helpers for user and scoped secret providers

[amirejaz]

Summary

• Callers currently have to manually wrap the result of CreateSecretProvider in UserProvider or ScopedProvider; this PR adds dedicated constructors so the wrapping is consistent and boilerplate-free.
• Adds CreateUserSecretProvider(providerType) — creates the base provider and wraps it in UserProvider, blocking all __thv_* keys. Intended for user-facing callers (CLI, API, MCP tool server).
• Adds CreateScopedSecretProvider(providerType, scope) — creates the base provider and wraps it in ScopedProvider, namespacing all key operations under __thv_<scope>_. Intended for internal callers such as the registry or workloads subsystem.

This is Phase 2 of the scoped secret store implementation (part of #4188). Phase 1 (#4229) introduced ScopedProvider and UserProvider; this PR exposes them through the factory layer.

Type of change

• New feature (non-breaking change which adds functionality)

Test plan

• Unit tests added to pkg/secrets/factory_test.go covering both helpers for the environment provider type (the only provider that works without external dependencies in CI), system-key blocking, and the unknown-provider error path.
• go test ./pkg/secrets/... — all tests pass.
• golangci-lint run ./pkg/secrets/... — 0 issues.

Special notes for reviewers

This PR is stacked on top of scoped-secret-providers (Phase 1 #4229). The diff against that branch is a single commit touching only factory.go and factory_test.go.

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 68.33%. Comparing base (e52d21b) to head (ff30eb6).

Files with missing lines	Patch %	Lines
pkg/secrets/factory.go	90.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@                     Coverage Diff                     @@
##           scoped-secret-providers    #4242      +/-   ##
===========================================================
- Coverage                    68.82%   68.33%   -0.50%     
===========================================================
  Files                          469      469              
  Lines                        47189    47248      +59     
===========================================================
- Hits                         32480    32285     -195     
- Misses                       12007    12085      +78     
- Partials                      2702     2878     +176     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[JAORMX]

why not use t.Context()?

[JAORMX]

t.Context() would be better.