Improve secrets-management agent credential gates

[Peter7896]

Summary

• add canary/honey token classification so approved monitored tokens are separated from production leaks only when owner, alert route, expiry, and no-production-privilege evidence are present
• add live-validation scanner safety checks for read-only probes, value redaction, rate limiting, and provider side-effect control
• expand agent credential handling with exposure models for raw secrets, short-lived real secrets, broker tokens, and capability handles
• require credential broker evidence for host/path/method binding, default-deny egress, upstream secret custody, value-free audit logs, and safe fallback behavior
• update severity, output tables, common pitfalls, references, and changelog for version 1.0.2

Scope

This addresses #1160. I also posted an attempt comment before implementation: #1160 (comment)

Closes #1160

/claim #1160

Validation

• git diff --check (only existing Windows LF-to-CRLF warning)
• verified markdown code fence count is even (16)
• verified issue-specific markers for canary/honey token evidence, live-validation safety, agent credential exposure model, broker host/path/method binding, default-deny egress, real-secret visibility, and version 1.0.2