#318 Bootstrap Script Must Include manage_secrets Permission

## Problem The manage_secrets permission was added to rbac_roles.py for tenant_admin role, but fresh deployments using bootstrap_rbac.py may not have this permission if: 1. Existing tenants were created before the change 2. Bootstrap doesn't refresh existing role permissions ## Current State - rbac_roles.py has manage_secrets in PREDEFINED_ROLES - initialize_tenant_roles() creates roles with permissions - But existing tenants don't get updated automatically ## Fix Required 1. Add migration script to add manage_secrets to existing tenant_admin roles 2. Ensure bootstrap_rbac.py handles permission updates for existing roles 3. Add idempotent role permission sync ## Acceptance Criteria - Fresh deployment has manage_secrets on tenant_admin - Existing tenants get manage_secrets added via migration - Bootstrap is idempotent (can run multiple times safely) - Add view_secrets permission for read-only access