fix: backend-driven display fields for engine connections (closes #52)

[shirshanka]

Summary

• Adds DisplayField and display_fields: list[DisplayField] to ConnectorSpec (engines/factory.py).
• Populates display_fields for the Hive connector — the missing piece behind bug(frontend): The hive data source fields are not displayed on the Data Sources settings page #52.
• list_connections now dispatches through display_fields for any registered connector type the per-type branches don't already handle. Sensitive values render as "(configured)", never the raw value.
• Existing snowflake / bigquery / SQLAlchemy branches are untouched, so URL-form SQL connections and BigQuery's credentials masking are preserved.

Background

#52 reported that the Data Sources settings page renders an empty card for Hive. The reason was that list_connections only had explicit branches for snowflake / bigquery / SQLAlchemy types — everything else fell through to fields = []. Hive was fully registered in _CONNECTOR_MAP already; the spec just lacked display metadata.

#53 took an alternative approach (sending raw conn_cfg.items() from the backend and rebuilding fields client-side from plugin definitions). That introduced silent regressions for BigQuery credential sensitivity and URL-form SQL connections, and put snowflake on a different code path from the rest. This PR is the backend-driven alternative discussed in the review.

What changes

• `backend/src/analytics_agent/engines/factory.py` — new `DisplayField` dataclass; new `display_fields` field on `ConnectorSpec`; populated for the Hive connector (host/port/database/auth/user/password/kerberos_service_name) with sensitive=True and secret_key="password" on the password field.
• `backend/src/analytics_agent/api/settings.py` — when the existing per-type branches don't match but the type is in `_CONNECTOR_MAP` and has `display_fields`, derive `ConnectionField`s from the spec generically. Falls through to the original empty-fields behavior when neither matches.
• `tests/unit/test_settings_wire_format.py` — three new tests covering: unconfigured Hive renders all 7 plugin fields with correct labels; configured Hive masks the password as `"(configured)"`; unknown types still get the empty-fields fallback.

Why this beats client-side rebuild

• Schema lives in one place. Backend is the source of truth for labels, sensitivity, and `secret_key`. No risk of frontend re-deriving `sensitive` from a narrow rule like `pf.type === "password"`.
• Adding a connector is one file. Future types just append to `_CONNECTOR_MAP` with display_fields populated.
• No regressions to snowflake / bigquery / URL-form SQL. Existing per-type branches stay as-is; this PR only fills the gap for types that previously got `fields = []`.

Test plan

• `uv run pytest tests/unit/test_settings_wire_format.py -v` — 22/22 passing (3 new).
• `uv run pytest tests/unit/` — 247/248 passing (one pre-existing env-dependent failure in `test_llm_provider.py`, unrelated).
• Manual: configure a Hive connection in the UI, confirm all 7 fields render with labels and the password field is masked.
• Manual: verify Snowflake and BigQuery cards are unchanged (existing per-type branches were not modified).
• Manual: verify URL-form MySQL/Postgres connections still show the `Connection URL` field (SQLAlchemy branch unchanged).

Closes #52.

🤖 Generated with Claude Code