Add guest-only workspace secrets

Add explicit workspace secrets across the CLI, SDK, and MCP, with create-time secret definitions and per-call secret-to-env mapping for exec, shell open, and service start. Persist only safe secret metadata in workspace records, materialize secret files under /run/pyro-secrets, and redact secret values from exec output, shell reads, service logs, and surfaced errors.

Fix the remaining real-guest shell gap by shipping bundled guest init alongside the guest agent and patching both into guest-backed workspace rootfs images before boot. The new init mounts devpts so PTY shells work on Firecracker guests, while reset continues to recreate the sandbox and re-materialize secrets from stored task-local secret material.

Validation: uv lock; UV_CACHE_DIR=.uv-cache make check; UV_CACHE_DIR=.uv-cache make dist-check; and a real guest-backed Firecracker smoke covering workspace create with secrets, secret-backed exec, shell, service, reset, and delete.

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable user-visible changes to `pyro-mcp` are documented here.
 
+## 2.9.0
+
+- Added explicit workspace secrets across the CLI, Python SDK, and MCP server with
+  `pyro workspace create --secret/--secret-file`, `Pyro.create_workspace(..., secrets=...)`, and
+  the matching `workspace_create` MCP inputs.
+- Added per-call secret-to-environment mapping for `workspace exec`, `workspace shell open`, and
+  `workspace service start`, with secret values redacted from command output, shell reads, service
+  logs, and persisted workspace logs.
+- Kept secret-backed workspaces guest-only and fail-closed while re-materializing persisted secret
+  files outside `/workspace` across workspace creation and reset.
+
 ## 2.8.0
 
 - Added explicit named workspace snapshots across the CLI, Python SDK, and MCP server with