ENG-3566: Add DBCredentialProvider for dynamic credential resolution

[erosselli]

Ticket ENG-3566

Description Of Changes

Adds DBCredentialProvider, the layer between SQLAlchemy engine creators and the SecretProvider abstraction. This is the foundation for dynamic database credentials via AWS Secrets Manager — it resolves credentials, handles auth-failure retry during rotation, and sanitizes connection exceptions to prevent credential leakage.

This PR adds the class and all supporting config/provider changes but does not wire it into the engine creators yet. The wiring will follow in a separate PR.

Code Changes

• DBCredentialProvider class with get_credentials(), connect_with_retry(), auth error detection (SQLSTATE + psycopg2 string fallback), and SanitizedConnectionError
• StaticSecretProvider refactored to read and cache DB credentials from CONFIG at construction time
• get_secret_provider() singleton in config/secrets/__init__.py for shared provider cache
• credential_secret_id and readonly_credential_secret_id fields added to DatabaseSettings
• @model_validator on FidesConfig for cross-section config validation (static + secret_id, aws + missing secret_id)
• aws_secrets_manager made Optional on SecretsSettings with its own validator
• create_secret_provider factory simplified (no more static_secrets param)
• INFO logs added to AWSSecretsManagerProvider for fetch/cache events

Steps to Confirm

1. Run nox -s "pytest(misc-unit)" — all config, secrets, and db_credential_provider tests pass
2. Run nox -s "pytest(lib)" — engine creator tests pass
3. Verify static provider behavior unchanged: start Fides normally (no secrets config), confirm GET /health/database returns healthy

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • Followup issues created
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	May 13, 2026 8:43pm
fides-privacy-center	Ignored		May 13, 2026 8:43pm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.54%. Comparing base (545fd9a) to head (e9fb993).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8175      +/-   ##
==========================================
+ Coverage   85.45%   85.54%   +0.09%     
==========================================
  Files         650      654       +4     
  Lines       42363    42636     +273     
  Branches     4971     5008      +37     
==========================================
+ Hits        36200    36475     +275     
- Misses       5054     5055       +1     
+ Partials     1109     1106       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JadeCara]

Only one note on some drift between the plan and implementation. Looks clean!

[JadeCara]

I think I remember this being a warning to not block start up in the design doc. Did that change?

[erosselli]

ah maybe, but if something is misconfigured I think I'd rather fail noisly than log a silent warning. This should only scream if you've set FIDES__SECRETS__PROVIDER to aws but haven't configured the credential_secret_id for the DB