What does this PR do?

This PR adds context-aware masking so sensitive pillar data is much harder to leak into state return payloads, minion logs, and event/log forwarding, while keeping explicit pillar APIs useful for debugging.

Highlights

• pydantic>=2.4 in base requirements; SecretStr / SecretBytes for string/byte leaves.
• salt.utils.safepillar: SafeDict / SafeList, wrap_pillar_tree / unwrap_pillar_tree, literal collection, substring redaction, no_log masking.
• Compiled pillar is wrapped on minion-facing paths; automatic redaction replaces known pillar string literals in state returns with a fixed placeholder.
• no_log: true on a state chunk (runtime keyword) masks that chunk’s comment and changes regardless of whether the secret text appears in pillar literals.
• Thin (salt-ssh): Pydantic and its runtime deps are bundled in the thin tarball so salt-call from thin keeps working (fixes ModuleNotFoundError: pydantic / follow-on import errors in CI).
• Direct pillar inspection: pillar.items and pillar.get return plain structures (unwrap_pillar_tree) so operators still see real values when they intentionally call those functions; in-memory pillar and accidental stringification stay protected.
• Tests and pillar.rst updates.

Fixes: #67367 (mask pillar in state output / logs).

Previous Behavior

{'name': 'curl https://api.example.com',
 'comment': 'Request failed: invalid key sk-live-abc123',
 'changes': {'stdout': 'error: sk-live-abc123'},
 'result': False}

New Behavior

{'name': 'curl https://api.example.com',
 'comment': 'Request failed: invalid key **********',
 'changes': {'stdout': 'error: **********'},
 'result': False}

2) no_log: true on a state

Before: comment and changes are whatever the state module returned (may include secrets not present as pillar literals).

After: both are masked to the placeholder shape:

comment: **********
changes: {'**********': '**********'}

3) In-memory pillar vs pillar.items / pillar.get

• Wrapped leaf: str(pillar['db']['password']) → ********** (safe if something logs or stringifies the object).
• pillar.items-style unwrap → {'db': {'password': 'plain-in-pillar'}} (plain values for intentional inspection).

Merge requirements

• Docs (pillar.rst)
• Changelog (per Salt guidelines)
• Tests (unit + integration where applicable)
• salt-ssh thin includes Pydantic stack (CI: test_thin_dir)

Reviewer notes

• Custom code that assumes isinstance(x, str) for every pillar leaf may need to accept SecretStr or call .get_secret_value() after unwrap at boundaries.
• Longest-secret-first literal replacement avoids leaking a shorter secret that is a substring of a longer one.