feat(secrets): add phase 1 secrets tool and redaction hardening

Implements the first pragmatic slice of issue #3627 / #410:
- add agent-facing  tool with list/check/request/delete/inject
  actions
- reuse existing secure CLI secret capture path via getpass-backed callback
  so secret values never enter model context
- support  as an alias for the existing
   skill frontmatter
- redact execute_code stdout/stderr before returning tool output
- expand redaction patterns for Twilio SIDs and JWTs
- register the new tool in discovery/core toolsets and add regression tests

Gateway DM+delete secret capture remains scoped as follow-up work per the
Phase 1 issue discussion.

tools/file_tools.py

@@ -363,6 +363,10 @@ def patch_tool(mode: str = "replace", path: str = None, old_string: str = None,
         
         result_dict = result.to_dict()
         result_json = json.dumps(result_dict, ensure_ascii=False)
+        try:
+            result_json = redact_sensitive_text(result_json)
+        except Exception:
+            pass
         # Hint when old_string not found — saves iterations where the agent
         # retries with stale content instead of re-reading the file.
         if result_dict.get("error") and "Could not find" in str(result_dict["error"]):