feat: add secrets provider architecture

Trait-based secrets management for secure credential handling:
- SecretsProvider trait for pluggable backends
- EnvProvider as default (12-Factor App pattern)
- ProtectedString with zeroize (memory zeroed on drop)
- Redacted Debug impl prevents secret leakage in logs
- S3Credentials struct for future AWS S3 integration
- Config: [secrets] section with provider and clear_env options

Foundation for AWS Secrets Manager, Vault, K8s (v0.4.0+)

nora-registry/src/main.rs

@@ -11,6 +11,7 @@ mod openapi;
 mod rate_limit;
 mod registry;
 mod request_id;
+mod secrets;
 mod storage;
 mod tokens;
 mod ui;
@@ -190,6 +191,25 @@ async fn run_server(config: Config, storage: Storage) {
         "Rate limiting configured"
     );
 
+    // Initialize secrets provider
+    let secrets_provider = match secrets::create_secrets_provider(&config.secrets) {
+        Ok(provider) => {
+            info!(
+                provider = provider.provider_name(),
+                clear_env = config.secrets.clear_env,
+                "Secrets provider initialized"
+            );
+            Some(provider)
+        }
+        Err(e) => {
+            warn!(error = %e, "Failed to initialize secrets provider, using defaults");
+            None
+        }
+    };
+
+    // Store secrets provider for future use (S3 credentials, etc.)
+    let _secrets = secrets_provider;
+
     // Load auth if enabled
     let auth = if config.auth.enabled {
         let path = Path::new(&config.auth.htpasswd_file);