#313 Implement Tenant Secrets Management API

## Problem Current secrets APIs are app-specific only (tied to installation_id). Tenants need a general-purpose secrets management API for: - Storing credentials for external services (databases, APIs) - Managing environment-specific secrets - Browsing and auditing all tenant secrets ## Current State - App-specific secrets: /tenant/apps/<installation_id>/secrets - works but limited scope - Backend: SecretManager with Vault/AWS/Azure providers - production ready - Workflow tools: tools.secrets.* - works for workflow access ## Required APIs 1. GET /api/v1/tenant/secrets - List all tenant secrets (paths only, not values) 2. GET /api/v1/tenant/secrets/<path> - Get secret metadata (keys, not values) 3. PUT /api/v1/tenant/secrets/<path> - Create/update secret 4. DELETE /api/v1/tenant/secrets/<path> - Delete secret 5. GET /api/v1/tenant/secrets/<path>/audit - Audit log for secret ## Security Requirements - RBAC permission: manage_secrets - Never return secret values in list/get endpoints - Audit log all write operations - Path validation to prevent traversal attacks ## Acceptance Criteria - All 5 endpoints implemented - SpectTree OpenAPI models - RBAC integration - Vault integration tested - UI can list, create, update, delete secrets