Edit Issue - .issue.db

Title *

Description

## Problem
Current secrets APIs are app-specific only (tied to installation_id). Tenants need a general-purpose secrets management API for:
- Storing credentials for external services (databases, APIs)
- Managing environment-specific secrets
- Browsing and auditing all tenant secrets

## Current State
- App-specific secrets: /tenant/apps/<installation_id>/secrets - works but limited scope
- Backend: SecretManager with Vault/AWS/Azure providers - production ready
- Workflow tools: tools.secrets.* - works for workflow access

## Required APIs
1. GET /api/v1/tenant/secrets - List all tenant secrets (paths only, not values)
2. GET /api/v1/tenant/secrets/<path> - Get secret metadata (keys, not values) 
3. PUT /api/v1/tenant/secrets/<path> - Create/update secret
4. DELETE /api/v1/tenant/secrets/<path> - Delete secret
5. GET /api/v1/tenant/secrets/<path>/audit - Audit log for secret

## Security Requirements
- RBAC permission: manage_secrets
- Never return secret values in list/get endpoints
- Audit log all write operations
- Path validation to prevent traversal attacks

## Acceptance Criteria
- All 5 endpoints implemented
- SpectTree OpenAPI models
- RBAC integration
- Vault integration tested
- UI can list, create, update, delete secrets

Due Date (YYYY-MM-DD)

Tags (comma separated)

Related Issues (IDs)

Enter IDs of issues related to this one. They will be linked as 'related'.

Edit Issue #313