#315 Add Secret Scopes with Access Control (tenant/app/workflow)

## Problem Currently any workflow in a tenant can access ANY secret in that tenant. No restrictions by: - Workflow name/pattern - App association - Secret-level ACLs ## Security Risk A malicious or buggy workflow could read database credentials meant for another workflow. ## Solution Implement secret scopes: - TENANT: Any workflow in tenant can access - APP: Only workflows using specific app can access - WORKFLOW: Only workflows matching name pattern (regex) can access ## Data Model Add to secrets metadata: - scope_type: enum (tenant, app, workflow) - scope_value: string (app_id or workflow_pattern) ## Acceptance Criteria - Scope type selectable when creating secret - Workflow tools enforce scope at runtime - API rejects secret access outside scope - Migration for existing secrets (default: tenant scope)