Add factory helpers for user and scoped secret providers

[amirejaz]

Summary

• Callers currently have to manually wrap the result of CreateSecretProvider in UserProvider or ScopedProvider; this PR adds dedicated constructors so the wrapping is consistent and boilerplate-free.
• Adds CreateUserSecretProvider(providerType) — creates the base provider and wraps it in UserProvider, blocking all __thv_* keys. Intended for user-facing callers (CLI, API, MCP tool server).
• Adds CreateScopedSecretProvider(providerType, scope) — creates the base provider and wraps it in ScopedProvider, namespacing all key operations under __thv_<scope>_. Intended for internal callers such as the registry or workloads subsystem.

This is Phase 2 of the scoped secret store implementation (part of #4188). Phase 1 (#4229) introduced ScopedProvider and UserProvider; this PR exposes them through the factory layer.

Type of change

• New feature (non-breaking change which adds functionality)

Test plan

• Unit tests added to pkg/secrets/factory_test.go covering both helpers for the environment provider type (the only provider that works without external dependencies in CI), system-key blocking, and the unknown-provider error path.
• go test ./pkg/secrets/... — all tests pass.
• golangci-lint run ./pkg/secrets/... — 0 issues.

Special notes for reviewers

This PR is stacked on top of scoped-secret-providers (Phase 1 #4229). The diff against that branch is a single commit touching only factory.go and factory_test.go.

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.26%. Comparing base (e52d21b) to head (c6f42f7).

Additional details and impacted files

@@                     Coverage Diff                     @@
##           scoped-secret-providers    #4242      +/-   ##
===========================================================
+ Coverage                    68.82%   69.26%   +0.43%     
===========================================================
  Files                          469      469              
  Lines                        47189    47137      -52     
===========================================================
+ Hits                         32480    32651     +171     
+ Misses                       12007    11975      -32     
+ Partials                      2702     2511     -191     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[JAORMX]

why not use t.Context()?

[JAORMX]

t.Context() would be better.