[codex] stage sensitive facts as encrypted reflex candidates

[thesongzhu]

Summary

• add secure_fact Reflex candidates for explicit sensitive fact-shaped run text when encrypted staging is configured
• keep candidate payload/evidence redacted with secret metadata only, while approval confirms encrypted storage and rejection deletes staged secrets
• widen Reflex candidate kind handling across API/tool/UI typing plus migration v092

Verification

• pnpm vitest run test/unit/reflex/friday-reflex-service.test.ts test/unit/state/migrations/v092-reflex-secure-fact-candidates.test.ts test/unit/agent/tools/friday-agent-reflex-tools.test.ts --reporter=verbose
• npm run check:migrations
• npm run typecheck:src
• git diff --check
• npm run check:secret-patterns
• npm run check:alignment
• npm run check:public-source-hygiene
• npm run build:ui

Boundary

This is a focused secure-staging/Review Center substrate change. It does not claim live LLM generation, real-browser Review Center coverage, third-party channel coverage, attachment/document coverage, every sensitive category, or full end-to-end secure-storage UX.