fix(docker-watcher): phase 8 security fixes

Remove webhook secret from logs and API response.
Add auth-pending note to router. Fix decrypt fallback that
would use ciphertext as auth token on decrypt failure.

web/src/routes/settings/+layout.svelte

@@ -0,0 +1,55 @@
+<script lang="ts">
+	import type { Snippet } from 'svelte';
+	import { page } from '$app/stores';
+
+	interface Props {
+		children: Snippet;
+	}
+
+	let { children }: Props = $props();
+
+	const navItems = [
+		{ href: '/settings', label: 'General' },
+		{ href: '/settings/registries', label: 'Registries' },
+		{ href: '/settings/credentials', label: 'Credentials' }
+	];
+
+	let currentPath = $derived($page.url.pathname);
+
+	function isActive(href: string): boolean {
+		if (href === '/settings') {
+			return currentPath === '/settings';
+		}
+		return currentPath.startsWith(href);
+	}
+</script>
+
+<div class="mx-auto max-w-4xl">
+	<h1 class="mb-6 text-2xl font-bold text-gray-900">Settings</h1>
+
+	<div class="flex gap-6">
+		<!-- Sub-navigation -->
+		<nav class="w-48 flex-shrink-0">
+			<ul class="space-y-1">
+				{#each navItems as item}
+					<li>
+						<a
+							href={item.href}
+							class="block rounded-md px-3 py-2 text-sm font-medium transition-colors
+								{isActive(item.href)
+								? 'bg-blue-50 text-blue-700'
+								: 'text-gray-600 hover:bg-gray-50 hover:text-gray-900'}"
+						>
+							{item.label}
+						</a>
+					</li>
+				{/each}
+			</ul>
+		</nav>
+
+		<!-- Settings content -->
+		<div class="flex-1">
+			{@render children()}
+		</div>
+	</div>
+</div>