refactor(settings): adopt environment-only runtime secret flow

packages/api/src/__tests__/system-settings-runtime.test.ts

@@ -1,5 +1,5 @@
 import { afterEach, describe, expect, it, vi } from "vitest";
-import { resolveSystemSettingsRuntime } from "../lib/system-settings-runtime.js";
+import { getRuntimeSecretStatuses, resolveSystemSettingsRuntime } from "../lib/system-settings-runtime.js";
 
 describe("system settings runtime resolution", () => {
   afterEach(() => {
@@ -39,4 +39,27 @@ describe("system settings runtime resolution", () => {
 
     expect(settings.smtpPassword).toBe("db-password");
   });
+
+  it("reports active source and legacy DB presence separately", () => {
+    vi.stubEnv("OPENAI_API_KEY", "env-openai-key");
+
+    const statuses = getRuntimeSecretStatuses({
+      aiProvider: "openai",
+      azureOpenAiApiKey: "db-key",
+      smtpPassword: "db-password",
+    });
+
+    expect(statuses.azureOpenAiApiKey).toEqual({
+      configured: true,
+      activeSource: "environment",
+      hasStoredValue: true,
+      envVarNames: ["OPENAI_API_KEY", "AZURE_OPENAI_API_KEY"],
+    });
+    expect(statuses.smtpPassword).toEqual({
+      configured: true,
+      activeSource: "database",
+      hasStoredValue: true,
+      envVarNames: ["SMTP_PASSWORD"],
+    });
+  });
 });