fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit
of templates/* found three gaps:

1. MQTT — was working through the legacy adapter, silently dropped
   when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret()
   alongside the others.
2. Postgres — `auth, pw_hash=…` event captures the MD5
   challenge-response the attacker sent. Plaintext irrecoverable, so
   it never fit the (principal, secret_b64=raw_bytes) shape. Lands
   in Credential as secret_kind="postgres_md5_challenge".
3. VNC — `auth_response, response=…hex` event captures the 16-byte
   DES-encrypted challenge. Same situation as Postgres: plaintext
   irrecoverable. Lands as secret_kind="vnc_des_response".

Adds a `secret_kind` discriminator column to Credential (default
"plaintext", indexed). The dedup tuple gains secret_kind so two
credentials with the same sha256 but different kinds are
fundamentally different rows — different challenges produce
different bytes for the same plaintext password, so cross-kind
reuse matches are meaningless and would only confuse analytics.

The model now genuinely covers every cred-emitting service in the
fleet:

  plaintext        SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP,
                   MQTT
  postgres_md5_*   Postgres
  vnc_des_response VNC

Username-only services (MySQL/MSSQL — TDS pre-encryption captures
the user but never sees the password byte) intentionally don't feed
Credential — they're recon signals, not cred attempts.

40 tests pass in the touched scope. New cases: secret_kind dedups
independently in the repo; Postgres MD5 + VNC DES emitters thread
through; MQTT round-trips through the native branch.

decnet/web/db/models/logs.py

@@ -72,7 +72,22 @@ class Credential(SQLModel, table=True):
     decky_name: str = Field(index=True)
     service: str = Field(index=True)
     principal: Optional[str] = Field(default=None, index=True, max_length=256)
-    # Universal lossless secret representations.
+    # Discriminator for what `secret_b64` actually contains. Default
+    # ``"plaintext"`` — a recoverable password the attacker sent on the
+    # wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds:
+    # ``"postgres_md5_challenge"`` (md5(md5(pw+user)+salt) hex bytes
+    # the attacker sent in the Postgres password message — plaintext
+    # irrecoverable), ``"vnc_des_response"`` (16-byte DES-encrypted
+    # challenge response — same shape).
+    #
+    # Reuse semantics gracefully degrade: same secret_sha256 only
+    # correlates within a single ``secret_kind``. Cross-kind matches
+    # are meaningless because different challenges produce different
+    # bytes for the same plaintext password.
+    secret_kind: str = Field(default="plaintext", index=True, max_length=32)
+    # Universal lossless secret representations. For non-plaintext
+    # kinds, secret_b64 is base64 of the raw attacker-sent bytes (after
+    # hex-decode for protocols that ship the response as a hex string).
     secret_sha256: str = Field(index=True, max_length=64)
     secret_b64: Optional[str] = Field(default=None, max_length=2048)
     # Best-effort printable form — non-printable bytes collapsed to '?'