Add guest-only workspace secrets

Add explicit workspace secrets across the CLI, SDK, and MCP, with create-time secret definitions and per-call secret-to-env mapping for exec, shell open, and service start. Persist only safe secret metadata in workspace records, materialize secret files under /run/pyro-secrets, and redact secret values from exec output, shell reads, service logs, and surfaced errors.

Fix the remaining real-guest shell gap by shipping bundled guest init alongside the guest agent and patching both into guest-backed workspace rootfs images before boot. The new init mounts devpts so PTY shells work on Firecracker guests, while reset continues to recreate the sandbox and re-materialize secrets from stored task-local secret material.

Validation: uv lock; UV_CACHE_DIR=.uv-cache make check; UV_CACHE_DIR=.uv-cache make dist-check; and a real guest-backed Firecracker smoke covering workspace create with secrets, secret-backed exec, shell, service, reset, and delete.

README.md

@@ -20,7 +20,7 @@ It exposes the same runtime in three public forms:
 - First run transcript: [docs/first-run.md](docs/first-run.md)
 - Terminal walkthrough GIF: [docs/assets/first-run.gif](docs/assets/first-run.gif)
 - PyPI package: [pypi.org/project/pyro-mcp](https://pypi.org/project/pyro-mcp/)
-- What's new in 2.8.0: [CHANGELOG.md#280](CHANGELOG.md#280)
+- What's new in 2.9.0: [CHANGELOG.md#290](CHANGELOG.md#290)
 - Host requirements: [docs/host-requirements.md](docs/host-requirements.md)
 - Integration targets: [docs/integrations.md](docs/integrations.md)
 - Public contract: [docs/public-contract.md](docs/public-contract.md)
@@ -57,7 +57,7 @@ What success looks like:
 ```bash
 Platform: linux-x86_64
 Runtime: PASS
-Catalog version: 2.8.0
+Catalog version: 2.9.0
 ...
 [pull] phase=install environment=debian:12
 [pull] phase=ready environment=debian:12
@@ -78,6 +78,8 @@ After the quickstart works:
 - prove the full one-shot lifecycle with `uvx --from pyro-mcp pyro demo`
 - create a persistent workspace with `uvx --from pyro-mcp pyro workspace create debian:12 --seed-path ./repo`
 - update a live workspace from the host with `uvx --from pyro-mcp pyro workspace sync push WORKSPACE_ID ./changes`
+- add literal or file-backed secrets with `uvx --from pyro-mcp pyro workspace create debian:12 --secret API_TOKEN=expected --secret-file PIP_TOKEN=./token.txt`
+- map one persisted secret into one exec, shell, or service call with `--secret-env API_TOKEN`
 - diff the live workspace against its create-time baseline with `uvx --from pyro-mcp pyro workspace diff WORKSPACE_ID`
 - capture a checkpoint with `uvx --from pyro-mcp pyro workspace snapshot create WORKSPACE_ID checkpoint`
 - reset a broken workspace with `uvx --from pyro-mcp pyro workspace reset WORKSPACE_ID --snapshot checkpoint`
@@ -137,7 +139,7 @@ uvx --from pyro-mcp pyro env list
 Expected output:
 
 ```bash
-Catalog version: 2.8.0
+Catalog version: 2.9.0
 debian:12 [installed|not installed] Debian 12 environment with Git preinstalled for common agent workflows.
 debian:12-base [installed|not installed] Minimal Debian 12 environment for shell and core Unix tooling.
 debian:12-build [installed|not installed] Debian 12 environment with Git and common build tools preinstalled.
@@ -213,18 +215,20 @@ longer-term interaction model.
 
 ```bash
 pyro workspace create debian:12 --seed-path ./repo
+pyro workspace create debian:12 --seed-path ./repo --secret API_TOKEN=expected
 pyro workspace sync push WORKSPACE_ID ./changes --dest src
 pyro workspace exec WORKSPACE_ID -- cat src/note.txt
+pyro workspace exec WORKSPACE_ID --secret-env API_TOKEN -- sh -lc 'test "$API_TOKEN" = "expected"'
 pyro workspace diff WORKSPACE_ID
 pyro workspace snapshot create WORKSPACE_ID checkpoint
 pyro workspace reset WORKSPACE_ID --snapshot checkpoint
 pyro workspace reset WORKSPACE_ID
 pyro workspace export WORKSPACE_ID src/note.txt --output ./note.txt
-pyro workspace shell open WORKSPACE_ID
+pyro workspace shell open WORKSPACE_ID --secret-env API_TOKEN
 pyro workspace shell write WORKSPACE_ID SHELL_ID --input 'pwd'
 pyro workspace shell read WORKSPACE_ID SHELL_ID
 pyro workspace shell close WORKSPACE_ID SHELL_ID
-pyro workspace service start WORKSPACE_ID web --ready-file .web-ready -- sh -lc 'touch .web-ready && while true; do sleep 60; done'
+pyro workspace service start WORKSPACE_ID web --secret-env API_TOKEN --ready-file .web-ready -- sh -lc 'touch .web-ready && while true; do sleep 60; done'
 pyro workspace service start WORKSPACE_ID worker --ready-file .worker-ready -- sh -lc 'touch .worker-ready && while true; do sleep 60; done'
 pyro workspace service list WORKSPACE_ID
 pyro workspace service status WORKSPACE_ID web
@@ -239,7 +243,7 @@ Persistent workspaces start in `/workspace` and keep command history until you d
 machine consumption, add `--json` and read the returned `workspace_id`. Use `--seed-path` when
 you want the workspace to start from a host directory or a local `.tar` / `.tar.gz` / `.tgz`
 archive instead of an empty workspace. Use `pyro workspace sync push` when you want to import
-later host-side changes into a started workspace. Sync is non-atomic in `2.8.0`; if it fails
+later host-side changes into a started workspace. Sync is non-atomic in `2.9.0`; if it fails
 partway through, prefer `pyro workspace reset` to recover from `baseline` or one named snapshot.
 Use `pyro workspace diff` to compare the live `/workspace` tree to its immutable create-time
 baseline, and `pyro workspace export` to copy one changed file or directory back to the host. Use
@@ -251,6 +255,10 @@ persistent PTY session that keeps interactive shell state between calls. Use
 Typed readiness checks prefer `--ready-file`, `--ready-tcp`, or `--ready-http`; keep
 `--ready-command` as the escape hatch. Service metadata and logs live outside `/workspace`, so the
 internal service state does not appear in `pyro workspace diff` or `pyro workspace export`.
+Use `--secret` and `--secret-file` at workspace creation when the sandbox needs private tokens or
+config. Persisted secrets are materialized inside the guest at `/run/pyro-secrets/<name>`, and
+`--secret-env SECRET_NAME[=ENV_VAR]` maps one secret into one exec, shell, or service call without
+exposing the raw value in workspace status, logs, diffs, or exports.
 
 ## Public Interfaces
 
@@ -422,9 +430,25 @@ Advanced lifecycle tools:
 
 Persistent workspace tools:
 
-- `workspace_create(environment, vcpu_count=1, mem_mib=1024, ttl_seconds=600, network=false, allow_host_compat=false, seed_path=null)`
+- `workspace_create(environment, vcpu_count=1, mem_mib=1024, ttl_seconds=600, network=false, allow_host_compat=false, seed_path=null, secrets=null)`
 - `workspace_sync_push(workspace_id, source_path, dest="/workspace")`
-- `workspace_exec(workspace_id, command, timeout_seconds=30)`
+- `workspace_exec(workspace_id, command, timeout_seconds=30, secret_env=null)`
+- `workspace_export(workspace_id, path, output_path)`
+- `workspace_diff(workspace_id)`
+- `snapshot_create(workspace_id, snapshot_name)`
+- `snapshot_list(workspace_id)`
+- `snapshot_delete(workspace_id, snapshot_name)`
+- `workspace_reset(workspace_id, snapshot="baseline")`
+- `service_start(workspace_id, service_name, command, cwd="/workspace", readiness=null, ready_timeout_seconds=30, ready_interval_ms=500, secret_env=null)`
+- `service_list(workspace_id)`
+- `service_status(workspace_id, service_name)`
+- `service_logs(workspace_id, service_name, tail_lines=200)`
+- `service_stop(workspace_id, service_name)`
+- `shell_open(workspace_id, cwd="/workspace", cols=120, rows=30, secret_env=null)`
+- `shell_read(workspace_id, shell_id, cursor=0, max_chars=65536)`
+- `shell_write(workspace_id, shell_id, input, append_newline=true)`
+- `shell_signal(workspace_id, shell_id, signal_name="INT")`
+- `shell_close(workspace_id, shell_id)`
 - `workspace_status(workspace_id)`
 - `workspace_logs(workspace_id)`
 - `workspace_delete(workspace_id)`