feat: placeholder token secrets, interactive permissions, vsock secrets

- Placeholder token pattern: secrets never enter VM, random tokens
  substituted by host-side proxy (Gondolin-inspired)
- vsock-based secret injection for Firecracker backend
- Interactive permission prompts for destructive operations
- HTTP API endpoints for permissions CRUD

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: thrashr888

Cargo.lock

@@ -61,6 +61,7 @@ urlencoding = "2"
 ssh-key = { version = "0.6", features = ["ed25519", "rand_core"] }
 rand = "0.8"
 ring = "0.17"
+hex = "0.4"
 
 # OpenTelemetry trace export
 opentelemetry = "0.28"