Allow parameters to be marked as secret

Problem

API Security handles data that can contain secrets, most often in the form of authentication credentials for the system under test. Leaking these secrets is a security vulnerability.

As part of the broader solution to secret leak prevention, a method to mark data as secret, allowing it to be masked when logged or included in reports.

See EPIC for more context: &9312

Proposal

Use SecretValue<T> type for Parameter values instead of (for example) string or Variant.

OperationIntoRequest/OperationIntoResponse

When converting an Operation instance into a Request or Response, only the header values use SecretValue<T>. For path, querystring, and body parameters, the masking/unmasking occurs during the conversion process.

Implementation plan

1. Update Parameter.OriginalValue and Parameter.MutatedValue to be SecretValue<T> types
2. Identify every usage and update to use .MaskedValue, .UnmaskedValue, or .SetValue
   1. Parameter.OriginalValue
   2. Parameter.MutatedValue
   3. Parameter.Value
3. Update Operation.Clone to propagate IsSecret
4. Update the following WebApiService methods making sure IsSecret is propagated (when possible):
   1. OperationFromRequest
   2. OperationFromResponse
   3. OperationIntoRequest
5. Add a maskSecrets argument to OperationIntoRequest that produced a masked Request instance
6. Add an OperationIntoResponse method with a maskSecrets argument to IWebApiService that produces a masked Response instance
7. Tests to verify correct masking of:
   1. Paths
   2. Querystring
   3. Headers
   4. Body parameters (json, graphql, xml)
8. Tests to verify correct masking of the below when converting Operations into Request and Response objects with maskSecrets set to true.
   1. Paths
   2. Querystring
   3. Headers
   4. Body parameters (json, graphql, xml)