Request

Currently, it doesn't seem possible to use an operator like + (which works for strings) on secret types. It would be good if that kind of thing was available.

Use case

For example, constructing a connection_string in a prometheus.exporter.mssql component:

remote.kubernetes.secret "sql" {
  namespace = "alloy"
  name = "sql-password"
}

prometheus.exporter.mssql "demo" {
  connection_string = "sqlserver://grafana-alloy:" + remote.kubernetes.secret.sql.data.pwd + "@mssql:1433?trustservercertificate=true"
}

The majority of the connection_string isn't actually secret, even if the result is, but doing the above results in an error like:

Error: /etc/alloy/config.alloy:32:58: remote.kubernetes.secret.sql.data.pwd should be one of [number string] for binop +, got capsule
31 | prometheus.exporter.mssql "demo" {
32 |   connection_string = "sqlserver://grafana-alloy:" + remote.kubernetes.secret.sql.data.pwd + "@mssql:1433?trustservercertificate=true"
   |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
33 | }

Marking the export as nonsensitive works:

prometheus.exporter.mssql "demo" {
  connection_string = "sqlserver://grafana-alloy:" + nonsensitive(remote.kubernetes.secret.sql.data.pwd) + "@mssql:1433?trustservercertificate=true"
}

But that exposes the secret in logs.

Alternatives:

1. A way to "un-capsule" the secret somehow but keep it secret;
2. For the mssql (and the like) component to understand that capsule somehow (e.g., maybe the username and password fields can be provided separately from the rest of the connection string, and the string constructed internally);
3. Better documentation on how to do the above with existing functionality

Thanks in advance.