Add 1Password as optional secret store backend

## Add 1Password as optional secret store backend

Currently `agent_secrets` only supports the macOS Keychain (via `security-framework`) with a no-op fallback on other platforms. This limits cross-platform secret management and doesn't support team/shared vault workflows.

### Goal

Add 1Password as an alternative `SecretStore` backend, selectable at runtime via `SHADI_SECRET_BACKEND=onepassword` env var.

### Approach

- New `OnePasswordStore` implementing the existing `SecretStore` trait
- Uses the `op` CLI (`std::process::Command`) — same pattern as `cargo-credential-1password` in the Rust toolchain (no official 1Password Rust SDK exists)
- Items stored as "Secure Note" in a configurable vault (`SHADI_OP_VAULT`, default `shadi`), tagged `shadi`
- Supports both interactive auth (1Password desktop app) and headless/CI (`OP_SERVICE_ACCOUNT_TOKEN`)
- Gated behind `onepassword` Cargo feature flag
- Fully backward compatible — no env var means existing OS keychain behavior

### Scope

- [ ] `crates/agent_secrets/src/platform/onepassword.rs` — new backend
- [ ] Runtime backend selection in `platform/mod.rs`
- [ ] Feature flag + `serde_json` dep in `Cargo.toml`
- [ ] Enable feature in `shadictl` and `shadi_py`
- [ ] Config + docs updates
- [ ] Unit tests (JSON parsing, command building, error mapping)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add 1Password as optional secret store backend #4