IIUC the credentials files are all Saveable, so should respect the standard SaveableListener. If there are specific ones that you can point me to then we can see about having them notify the SaveableListener appropriately.
There is obviously an issue in recording the changes of the credentials as if your secret key becomes compromised then the changes will have been captured.
More generally I am considering adding a second layer of encryption for the credentials.xml file such that it may become binary only or at least the individual credentials would be saved with a random salt added so that the same password would not have the same encrypted form twice (e.g. just like how Maven does encryption of secrets for the settings.xml... it's reversible but the same password will never encrypt to the same form twice) As such any change to one credential would trigger a re-save of the whole file which would then show up as all credentials having been "changed" as the salt will be different for each one.
I wonder, in that case, if there is much point in the jobconfig plugin trying to track credentials changes