feat: Secrets provider integration (SecretsProvider ABC + Doppler)

[Abernaughty]

Summary

Implement a SecretsProvider ABC with a Doppler backend for dynamic, scoped secret injection into E2B sandboxes. Agents request temporary tokens instead of seeing permanent API keys.

Context

Per the Final Architecture (Section 5), the secrets layer should support dynamic secrets with TTL, sandbox injection via environment variables, and the output wrapper prevents leaking. Three providers were evaluated: Azure Key Vault, Infisical, and Doppler. Doppler is recommended for initial integration (managed SaaS, good CLI, team-friendly).

The SecretsProvider ABC follows the same pattern as ToolProvider — swappable backends behind a stable interface.

Acceptance Criteria

• SecretsProvider ABC with methods: get_secret(name, scope, ttl), list_available(), revoke(token_id)
• DopplerSecretsProvider implementation using Doppler CLI/API
• Integration with E2B sandbox: secrets injected as env vars at sandbox creation
• Scoped tokens: agent requests "15-minute GitHub write access" style grants
• TTL enforcement: expired tokens automatically revoked
• Falls back to .env file if no secrets provider configured (development mode)
• Unit tests with mocked Doppler API

Depends On

• Issue feat: E2B sandbox runner with output wrapper (Step 3) #8 (E2B sandbox) — complete ✅

Effort

Medium (2 sessions)

[Abernaughty]

📋 Sprint Order: 11 of 13 (Phase 2)

⬆️ No hard blockers (E2B #8 ✅)
⬇️ No dependents