trying to understand some patterns here - is there a reason config values aren’t stored in the state file?

So you can change them. It's a plain text file that you can view and edit. When you edit it, you know you have to deploy afterwards: it has the same priority as your source code. The state file is not (supposed to be) editable, and it represents what Pulumi has already pushed to the cloud. It's a record of what was done in the past. If you change that, then you've changed what Pulumi thanks has happened in the past, as opposed to what Pulumi plans to change in the future.

yeah i guess in my head config was state that was associated with a stack

No, you can't. Config is stack level.

i guess what i’m saying is if i have secret values i was hoping i could set it directly in the state

You can create a simple custom resource and put the value in there. Mark the value as a secret and it'll be encrypted in state. That would be fine. How would you get the value into state though? You wouldn't want to hard code it in your project file, I think?

yeah i’m aware of state as a concept, have done a lot of work with iac tool internals ultimately though a separate config file is effectively two pieces of state we currently do use SSM and was wondering about creating a custom resource instead

No, config is not another piece of state: it's another source code file. You could create a custom resource. I don't know how you'd get the value in, though: your options are in source code, in config, or manually put into a vault or other cloud storage. Source code has the advantage of good review cover (PRs etc.) but it doesn't make encryption of config values easy; a vault is good for encryption but not so great for getting other devs to review changes; config files offer both advantages.