GET /api/settings now returns jellyfin_api_key, radarr_api_key,
sonarr_api_key, mqtt_password as "***" when set (empty string when
unset). Real values only reach the client via an explicit
GET /api/settings/reveal?key=<key> call, wired to an eye icon on
each secret input in the Settings page.
Save endpoints treat an incoming "***" as a sentinel meaning "user
didn't touch this field, keep stored value", so saving without
revealing preserves the existing secret.
Addresses audit finding #3 (settings endpoint leaks secrets).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Felix Förtsch
e040c9a234