Summary

Fixes the source credential secret picker for personal overrides on org-owned sources.

• Allows personal override pickers to show secrets from the personal scope plus visible outer scopes.
• Adds a Save in scope selector to the new-secret modal when multiple valid creation scopes are available.
• Keeps organization-default credentials from targeting inner personal scopes.
• Adds a real cloud API regression that seeds an org-owned source and org-owned secret through protected API calls before exercising the picker filter.

Root Cause

The shared React picker filtered secrets by exact target scope. A personal override binding is allowed to reference an outer org secret, but the UI hid those org-scoped secrets, making the dropdown appear empty for users with only org-level credentials.

Validation

• bun run --cwd packages/react test src/plugins/secret-header-auth.test.ts
• bun run --cwd packages/react typecheck
• bun run --cwd apps/cloud test:node src/services/sources-api.node.test.ts -t "personal source override picker can see org-owned secrets over HTTP"
• bun run --cwd apps/cloud typecheck