feat: audit user secret create, update, and delete (#24756)

Emit user secret audit log entries for create/update/delete operations.
Reads stay un-audited, matching every other resource.

Audit log entries record changes in user secret name, environment
variable name, file path, and value. The secret value column is marked
`ActionSecret` so the diff records the change without showing the
ciphertext or plaintext.

Closes a TOCTOU window on delete to ensure no phantom audit logs for a
delete of a non-existent secret. Secret update accepts a small TOCTOU
window matching the other audited resources (templates, workspaces,
chats). The two-query pattern is wrapped in a transaction so audit state
can't leak from a failed mutation.

coderd/database/models.go

@@ -3206,6 +3206,7 @@ const (
 	ResourceTypeTask                        ResourceType = "task"
 	ResourceTypeAiSeat                      ResourceType = "ai_seat"
 	ResourceTypeChat                        ResourceType = "chat"
+	ResourceTypeUserSecret                  ResourceType = "user_secret"
 )
 
 func (e *ResourceType) Scan(src interface{}) error {
@@ -3272,7 +3273,8 @@ func (e ResourceType) Valid() bool {
 		ResourceTypePrebuildsSettings,
 		ResourceTypeTask,
 		ResourceTypeAiSeat,
-		ResourceTypeChat:
+		ResourceTypeChat,
+		ResourceTypeUserSecret:
 		return true
 	}
 	return false
@@ -3308,6 +3310,7 @@ func AllResourceTypeValues() []ResourceType {
 		ResourceTypeTask,
 		ResourceTypeAiSeat,
 		ResourceTypeChat,
+		ResourceTypeUserSecret,
 	}
 }