feat: add secrets provider architecture

Trait-based secrets management for secure credential handling:
- SecretsProvider trait for pluggable backends
- EnvProvider as default (12-Factor App pattern)
- ProtectedString with zeroize (memory zeroed on drop)
- Redacted Debug impl prevents secret leakage in logs
- S3Credentials struct for future AWS S3 integration
- Config: [secrets] section with provider and clear_env options

Foundation for AWS Secrets Manager, Vault, K8s (v0.4.0+)

README.md

@@ -111,6 +111,8 @@ nora migrate --from local --to s3
 | `NORA_RATE_LIMIT_UPLOAD_BURST` | 500 | Upload burst size |
 | `NORA_RATE_LIMIT_GENERAL_RPS` | 100 | General requests per second |
 | `NORA_RATE_LIMIT_GENERAL_BURST` | 200 | General burst size |
+| `NORA_SECRETS_PROVIDER` | env | Secrets provider (`env`) |
+| `NORA_SECRETS_CLEAR_ENV` | false | Clear env vars after reading |
 
 ### config.toml
 
@@ -137,6 +139,12 @@ upload_burst = 500
 # Balanced limits for general API endpoints
 general_rps = 100
 general_burst = 200
+
+[secrets]
+# Provider: env (default), aws-secrets, vault, k8s (coming soon)
+provider = "env"
+# Clear environment variables after reading (security hardening)
+clear_env = false
 ```
 
 ## Endpoints