Add encryption status to notification health endpoint (P2)

Backend:
- Add IsEncryptionEnabled() method to ConfigPersistence
- Include encryption status in /api/notifications/health response
- Allows frontend to warn when credentials are stored in plaintext

Frontend:
- Update NotificationHealth type to include encryption.enabled field
- Frontend can now display warnings when encryption is disabled

This addresses the P2 requirement for encryption visibility, allowing
operators to know when notification credentials are not encrypted at rest.

frontend-modern/src/api/notifications.ts

@@ -238,6 +238,9 @@ export class NotificationsAPI {
       total: number;
       enabled: number;
     };
+    encryption: {
+      enabled: boolean;
+    };
     healthy: boolean;
   }> {
     return apiFetchJSON(`${this.baseUrl}/health`);

internal/api/notifications.go

@@ -640,6 +640,9 @@ func (h *NotificationHandlers) GetNotificationHealth(w http.ResponseWriter, r *h
 			"total":   len(webhooks),
 			"enabled": countEnabledWebhooks(webhooks),
 		},
+		"encryption": map[string]interface{}{
+			"enabled": h.monitor.GetConfigPersistence().IsEncryptionEnabled(),
+		},
 		"overall_healthy": queueStats["healthy"] == true,
 	}
 

internal/config/persistence.go

@@ -1371,6 +1371,13 @@ func (c *ConfigPersistence) updateEnvFile(envFile string, settings SystemSetting
 	return os.Rename(tempFile, envFile)
 }
 
+// IsEncryptionEnabled returns whether the config persistence has encryption enabled
+func (c *ConfigPersistence) IsEncryptionEnabled() bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.crypto != nil
+}
+
 // cleanupOldBackups removes old backup files, keeping only the most recent N backups
 func (c *ConfigPersistence) cleanupOldBackups(pattern string) {
 	// Use filepath.Glob to find all backup files matching the pattern