feat: Make syncEnvVars values write-only / non-revealable in the dashboard

[theramjad]

Is your feature request related to a problem? Please describe.

I sync env vars from Infisical into Trigger.dev using the syncEnvVars build extension:

import { defineConfig } from "@trigger.dev/sdk/v3";
import { syncEnvVars } from "@trigger.dev/build/extensions/core";
import { InfisicalSDK } from "@infisical/sdk";

export default defineConfig({
  build: {
    extensions: [
      syncEnvVars(async (ctx) => {
        const client = new InfisicalSDK({ siteUrl: "https://app.infisical.com" });
        await client.auth().universalAuth.login({
          clientId: ctx.env.INFISICAL_CLIENT_ID,
          clientSecret: ctx.env.INFISICAL_CLIENT_SECRET,
        });
        const { secrets } = await client.secrets().listSecrets({
          environment: ctx.environment,
          projectId: ctx.env.INFISICAL_PROJECT_ID,
          secretPath: "/",
        });
        return secrets.map((s) => ({ name: s.secretKey, value: s.secretValue }));
      }),
    ],
  },
});

The problem: once these values land in Trigger.dev, the Environment variables page exposes them via the "Reveal values" toggle. Every Stripe secret key, Better Auth secret, webhook secret, AssemblyAI key, etc. that Infisical was responsible for protecting becomes visible in plain text to anyone with dashboard access.

This defeats a major reason to centralize secrets in Infisical:

• Infisical itself does not let you read secrets back through its UI without explicit access controls and audit logging.
• Trigger.dev's syncEnvVars becomes a side-channel that exfiltrates those same values to a UI with weaker controls.
• A read-only Trigger.dev dashboard viewer effectively gets read access to every secret in the synced Infisical project.

The same concern applies to syncVercelEnvVars — Vercel masks "encrypted" env vars and never re-reveals them after creation, but Trigger.dev shows them in the clear.

Describe the solution you'd like to see

For values that arrive via syncEnvVars (or any sync extension), default to write-only / non-revealable in the Trigger.dev dashboard. Specifically:

1. Hide the value behind dots permanently. No "Reveal values" toggle for synced vars. Treat them like Vercel treats encrypted env vars after creation — write-only.
2. Optionally, allow the sync callback to opt individual vars in/out, in case some genuinely are non-sensitive:

   export type SyncEnvVarsBody =
     | Record<string, string>
     | Array<{
         name: string;
         value: string;
         isParentEnv?: boolean;
         revealable?: boolean; // default false for synced vars
       }>;

3. Audit-log any reveal action on env vars that are revealable, so there's a record of who saw what.

Defaulting synced vars to non-revealable is the important part. The optional flag and audit log are nice-to-haves.

Describe alternate solutions

1. Don't use syncEnvVars at all — read every secret from Infisical at task runtime. Adds latency, an extra auth surface in every task, and removes the convenience the extension is supposed to provide.
2. Restrict dashboard access to a tiny number of admins — works, but Trigger.dev currently doesn't let you grant "deploy and view runs" without also granting "read every secret in plain text," so this forces an all-or-nothing org permission model.
3. Rotate any secret that's ever been shown in the dashboard — the only reliable mitigation today, but it's a band-aid, not a fix.

Additional information

Source pointer: packages/build/src/extensions/core/syncEnvVars.ts — the change is on the platform side (how the synced values are stored and rendered), not the SDK type itself.

Screenshot of the current behavior — every synced value is one click away from being shown in plain text:

(Reveal values toggle visible in the top-right of the Environment variables page; each row's masked value reveals fully on toggle.)

Related: closed #3484 (I had the request backwards there — actually want stricter, not looser, treatment of synced values).