fix(secret_hex): add secret_hex/secret_payload filters; refactor outline_runtime

[baditaflorin]

Summary

• scripts/secret_masking_utility.py: add generate_real_secret_hex(service_name, length) — produces srvclaw_hex_<service>_<64hex>, greppable like srvclaw_ family but payload is pure lowercase hex (ADR 0403 hex_32 form)
• plugins/filter/generate_secret.py: add secret_hex and secret_payload Jinja2 filters; both registered in FilterModule
• outline_runtime/tasks/main.yml: collapse two-step (openssl shell + manage_service_secrets) into a single manage_service_secrets call using secret_hex; apply secret_payload in set_fact and outline_runtime_secret_payload so SECRET_KEY/UTILS_SECRET env vars receive only the 64-char hex Outline requires

Design

Format	Filter	Stored in file	Used in env var
urlsafe (default)	| secret	srvclaw_outline_<base64>	same
hex (new)	| secret_hex	srvclaw_hex_outline_<64hex>	<64hex> via | secret_payload

Greppable: grep -r srvclaw_hex_ /etc/ catches leaked Outline secrets in the same way grep -r srvclaw_ /etc/ catches urlsafe secrets.

Backward-compatible: existing servers have plain hex files written by openssl rand -hex 32. The write-if-missing guard leaves them unchanged; secret_payload passes through values that don't match the srvclaw_ pattern.

Test plan

• python3 -c "from secret_masking_utility import generate_real_secret_hex; v=generate_real_secret_hex('outline',32); print(len(v.split('_')[-1]), all(c in '0123456789abcdef' for c in v.split('_')[-1]))" → 64 True
• make converge-outline env=production on a clean VM produces Outline env with 64-char hex SECRET_KEY
• Re-converge on existing VM: write-if-missing guard keeps current hex values; Outline stays running without restart

🤖 Generated with Claude Code