feat(settings): hide API key from frontend, use status+edit instead of password field

Backend changes:
- Add civitai_api_key to _NO_SYNC_KEYS, return only boolean civitai_api_key_set
- Clean up known template placeholder on load to prevent false positive

Frontend changes:
- Replace type=password with type=text + CSS masking (-webkit-text-security)
- Replace pre-filled input with status display (Configured/Not configured)
- Add inline edit view with Save/Cancel buttons
- Re-add eye toggle via CSS class toggle (not type switching)
- Use CSS transitions for smooth status/edit view switching

This prevents Chromium/Vivaldi password manager from triggering
'save password' prompts when opening the settings modal.

tests/routes/__snapshots__/test_api_snapshots.ambr

@@ -26,7 +26,7 @@
     'messages': list([
     ]),
     'settings': dict({
-      'civitai_api_key': 'test-key',
+      'civitai_api_key_set': True,
       'language': 'en',
       'theme': 'dark',
     }),

tests/routes/test_misc_routes.py

@@ -134,8 +134,10 @@ async def test_get_settings_excludes_no_sync_keys():
 
     assert payload["success"] is True
     # Regular settings should be synced
-    assert payload["settings"]["civitai_api_key"] == "abc"
     assert payload["settings"]["regular_setting"] == "value"
+    # civitai_api_key is in _NO_SYNC_KEYS; only the boolean flag is returned
+    assert payload["settings"].get("civitai_api_key") is None
+    assert payload["settings"]["civitai_api_key_set"] is True
     # _NO_SYNC_KEYS should not be synced
     assert "hash_chunk_size_mb" not in payload["settings"]
     assert "folder_paths" not in payload["settings"]