Block access to Secret objects by default via cookie authn

A defence-in-depth to protect against stolen cookie/CSRF/script injection vulnerabilities. Our UI doesn't need to access Secrets, so kas can refuse to read/write/etc them. We can make this the default behavior that can be reverted via a config flag in the agent config file.

Please note, this is only for cookie authn. PAT, CI job token, etc should work as they do today. We could maybe change the behavior in %18.0 to block Secret access by default for all authn methods. A lot of users probably don't need it? Those who do, can opt-in explicitly.

Proposal

• Add an agent config field
• (existing behavior) kas sends agent config to rails each time it fetches it
• rails needs to persist the info about this new flag
• Rails should return the status of this flag when kas asks if a cookie is valid
• kas caches this setting along with cookie validity information
• kas checks this flag when a request comes to access a Secret. This should be done as early as possible during the request processing - right after authn.