feat: add per-app sensitive keys section to AppConfigDetailPage

Adds sensitiveKeys/globalSensitiveKeys/mergedSensitiveKeys fields to
ApplicationConfig, unwraps the new AppConfigResponse envelope in
useApplicationConfig, and renders an editable Sensitive Keys section
with read-only global pills and add/remove app-specific key tags.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ui/src/api/queries/commands.ts

@@ -31,6 +31,9 @@ export interface ApplicationConfig {
   tapVersion: number
   routeRecording: Record<string, boolean>
   compressSuccess: boolean
+  sensitiveKeys?: string[]
+  globalSensitiveKeys?: string[]
+  mergedSensitiveKeys?: string[]
 }
 
 /** Authenticated fetch using the JWT from auth store. Paths are relative to apiBaseUrl. */
@@ -58,8 +61,13 @@ export function useApplicationConfig(application: string | undefined) {
     queryKey: ['applicationConfig', application],
     queryFn: async () => {
       const res = await authFetch(`/config/${application}`)
-      if (!res.ok) throw new Error('Failed to fetch config')
-      return res.json() as Promise<ApplicationConfig>
+      if (!res.ok) throw new Error(`Failed to fetch config: ${res.status}`)
+      const data = await res.json()
+      // Server returns AppConfigResponse: { config, globalSensitiveKeys, mergedSensitiveKeys }
+      const cfg = data.config ?? data
+      cfg.globalSensitiveKeys = data.globalSensitiveKeys ?? null
+      cfg.mergedSensitiveKeys = data.mergedSensitiveKeys ?? null
+      return cfg as ApplicationConfig
     },
     enabled: !!application,
   })