sandbox: secret-ref injection for sessions (create --secret)

[xiaods]

What to build

Extend session env injection (builds on #483) to support secret references — values resolved from a K8s Secret at exec time and never stored on the session object. From KIP-12 (Part B).

API contract (from KIP-12):

message CreateSessionRequest {
  // ... env from #483 ...
  repeated SecretRef secret_refs = 6;  // stored as references only
}
message SecretRef {
  string secret_name = 1;  // existing K8s Secret in the sandbox namespace
  string key         = 2;  // key within Secret.data
  string env_var     = 3;  // env var name injected into the process
}

The gateway resolves each ref via RBAC (get secrets) at exec time and merges the resolved value into the env path built in #483. The SandboxSession CRD stores only the reference, never the value. CLI: --secret ENV_VAR=secretName:key.

Security red line (document in SKILL.md): truly sensitive values MUST use --secret (reference only). Inline --env is stored plaintext on the CRD and visible to anyone with RBAC to read SandboxSession.

Acceptance criteria

• gateway ServiceAccount granted get on Secrets in the sandbox namespace
• create --secret TOKEN=my-sec:api_key (Secret pre-exists) then run "echo \$TOKEN" prints the secret value
• resolved value never appears in the SandboxSession CRD or in ~/.k8e/sandbox state files
• missing Secret/key surfaces a clear error on first exec
• SKILL.md documents the --env vs --secret sensitivity red line
• test coverage for ref resolution + the CRD-stores-reference-only invariant

Blocked by

• sandbox: inline env injection for sessions (create --env) #483