What

This fixes native secret reference handling so each build or redeploy waits on the latest External Secrets Operator reconciliation before using the synced Kubernetes Secret.

Changes:

• Adds a per-run sync token to generated ExternalSecret resources using the documented force-sync annotation.
• Mirrors that sync token onto the target Kubernetes Secret through the ExternalSecret target template.
• Waits for both the expected Secret keys and the matching sync token before build or forwarded agent environment secret usage continues.
• Sets target.deletionPolicy: Merge so provider-side deletions remove stale keys from the target Secret instead of retaining old values.
• Covers deployment secrets and forwarded agent environment secrets with focused tests.

Why

Previously, reapplying the same ExternalSecret manifest could leave a build or redeploy using stale Secret data until the configured refresh interval elapsed. Waiting only for key existence was also not enough because an old target Secret could already contain the requested key.

With this change, each processing run changes the ExternalSecret metadata, the operator reconciles immediately, and Lifecycle waits until the target Secret reflects that same run.

Validation

• pnpm run lint
• pnpm exec tsc --project tsconfig.server.json --noEmit --pretty false
• pnpm exec jest --runTestsByPath src/server/lib/kubernetes/__tests__/externalSecret.test.ts src/server/services/__tests__/secretProcessor.test.ts src/server/lib/agentSession/__tests__/forwardedEnv.test.ts --runInBand
• pnpm run test

Note: pnpm run ts-check currently fails on existing repo-wide TypeScript errors in generated Next.js types, helper scripts, and unrelated API/service files. The changed server project passes tsconfig.server.json.

References

• External Secrets Operator documents manual refresh by updating an ExternalSecret annotation, for example force-sync.
• External Secrets Operator documents deletionPolicy: Merge as removing deleted provider keys from the target Secret while leaving the Secret resource in place.