Add guest-only workspace secrets

Add explicit workspace secrets across the CLI, SDK, and MCP, with create-time secret definitions and per-call secret-to-env mapping for exec, shell open, and service start. Persist only safe secret metadata in workspace records, materialize secret files under /run/pyro-secrets, and redact secret values from exec output, shell reads, service logs, and surfaced errors.

Fix the remaining real-guest shell gap by shipping bundled guest init alongside the guest agent and patching both into guest-backed workspace rootfs images before boot. The new init mounts devpts so PTY shells work on Firecracker guests, while reset continues to recreate the sandbox and re-materialize secrets from stored task-local secret material.

Validation: uv lock; UV_CACHE_DIR=.uv-cache make check; UV_CACHE_DIR=.uv-cache make dist-check; and a real guest-backed Firecracker smoke covering workspace create with secrets, secret-backed exec, shell, service, reset, and delete.

tests/test_public_contract.py

@@ -19,6 +19,7 @@ from pyro_mcp.contract import (
     PUBLIC_CLI_RUN_FLAGS,
     PUBLIC_CLI_WORKSPACE_CREATE_FLAGS,
     PUBLIC_CLI_WORKSPACE_DIFF_FLAGS,
+    PUBLIC_CLI_WORKSPACE_EXEC_FLAGS,
     PUBLIC_CLI_WORKSPACE_EXPORT_FLAGS,
     PUBLIC_CLI_WORKSPACE_RESET_FLAGS,
     PUBLIC_CLI_WORKSPACE_SERVICE_LIST_FLAGS,
@@ -94,6 +95,11 @@ def test_public_cli_help_lists_commands_and_run_flags() -> None:
     ).format_help()
     for flag in PUBLIC_CLI_WORKSPACE_CREATE_FLAGS:
         assert flag in workspace_create_help_text
+    workspace_exec_help_text = _subparser_choice(
+        _subparser_choice(parser, "workspace"), "exec"
+    ).format_help()
+    for flag in PUBLIC_CLI_WORKSPACE_EXEC_FLAGS:
+        assert flag in workspace_exec_help_text
     workspace_sync_help_text = _subparser_choice(
         _subparser_choice(parser, "workspace"),
         "sync",