fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit
of templates/* found three gaps:

1. MQTT — was working through the legacy adapter, silently dropped
   when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret()
   alongside the others.
2. Postgres — `auth, pw_hash=…` event captures the MD5
   challenge-response the attacker sent. Plaintext irrecoverable, so
   it never fit the (principal, secret_b64=raw_bytes) shape. Lands
   in Credential as secret_kind="postgres_md5_challenge".
3. VNC — `auth_response, response=…hex` event captures the 16-byte
   DES-encrypted challenge. Same situation as Postgres: plaintext
   irrecoverable. Lands as secret_kind="vnc_des_response".

Adds a `secret_kind` discriminator column to Credential (default
"plaintext", indexed). The dedup tuple gains secret_kind so two
credentials with the same sha256 but different kinds are
fundamentally different rows — different challenges produce
different bytes for the same plaintext password, so cross-kind
reuse matches are meaningless and would only confuse analytics.

The model now genuinely covers every cred-emitting service in the
fleet:

  plaintext        SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP,
                   MQTT
  postgres_md5_*   Postgres
  vnc_des_response VNC

Username-only services (MySQL/MSSQL — TDS pre-encryption captures
the user but never sees the password byte) intentionally don't feed
Credential — they're recon signals, not cred attempts.

40 tests pass in the touched scope. New cases: secret_kind dedups
independently in the repo; Postgres MD5 + VNC DES emitters thread
through; MQTT round-trips through the native branch.

decnet/web/db/sqlmodel_repo.py

@@ -557,11 +557,13 @@ class SQLModelRepository(BaseRepository):
             payload["fields"] = json.dumps(payload["fields"], ensure_ascii=True)
 
         principal = payload.get("principal")
+        secret_kind = payload.get("secret_kind") or "plaintext"
         async with self._session() as session:
             stmt = select(Credential).where(
                 Credential.attacker_ip == payload["attacker_ip"],
                 Credential.decky_name == payload["decky_name"],
                 Credential.service == payload["service"],
+                Credential.secret_kind == secret_kind,
                 Credential.secret_sha256 == payload["secret_sha256"],
                 # NULL == NULL is False under SQL — branch the predicate.
                 (Credential.principal == principal) if principal is not None
@@ -582,6 +584,7 @@ class SQLModelRepository(BaseRepository):
                 decky_name=payload["decky_name"],
                 service=payload["service"],
                 principal=principal,
+                secret_kind=secret_kind,
                 secret_sha256=payload["secret_sha256"],
                 secret_b64=payload.get("secret_b64"),
                 secret_printable=payload.get("secret_printable"),