Add option to skip IoT notification in `sst secrets set`

[runlevel5]

Problem

When running sst secrets set, SST unconditionally calls iot:DescribeEndpoint to discover the IoT MQTT broker and publish a config.secret.updated event to notify any running sst dev sessions.

This means the IAM role used to set secrets must have iot:DescribeEndpoint, iot:Connect, and iot:Publish permissions — even in CI environments where no sst dev sessions are running and the notification serves no purpose.

This causes deployment failures when the role doesn't have IoT permissions, which is common for least-privilege CI roles that only need SSM Parameter Store access for secret management.

Relevant code path:

• cli/commands/secrets/set.js → Config.setSecret() → useIOT() → useIOTEndpoint() → iot:DescribeEndpoint
• config.js:104-107 unconditionally publishes via IoT after writing to SSM

Proposed Solution

Add a --no-notify (or --skip-iot) flag to sst secrets set that skips the IoT publish step. For example:

npx sst secrets set MY_SECRET "value" --stage prod --no-notify

In config.js, setSecret would check whether notification is requested before calling useIOT():

async function setSecret(input) {
  // ... write to SSM Parameter Store ...

  // Publish event (skip if --no-notify)
  if (input.notify !== false) {
    const iot = await useIOT();
    const topic = `${iot.prefix}/events`;
    await iot.publish(topic, "config.secret.updated", { name: input.key });
  }
}

This would allow CI pipelines to set secrets without requiring IoT permissions, while keeping the default behavior unchanged for interactive use.