feat(config): add secret management for KMS config files

[p0wline]

Closes #882

What

Add secret management support to KMS TOML configuration files so that sensitive values (passwords, tokens, API keys) are never stored in clear text.

Changes

Phase 1 — Local secret handling

• Env var interpolation: ${VAR_NAME} and ${VAR_NAME:-default} syntax resolved at startup in all config values
• Secrets file: split sensitive values into a separate TOML file, referenced via secrets_file key in the main config or COSMIAN_KMS_SECRETS_CONF env var; deep-merged at startup before deserialization
• New pkg/secrets.toml template with documented examples

Phase 2 — External secret backends (optional feature flags)

URI schemes resolved at startup:

URI scheme	Feature flag	Backend
vault://<mount>/<path>[#<field>]	secret-vault	HashiCorp Vault KV-v2
aws-ssm://<region>/<param-path>	secret-aws	AWS SSM Parameter Store (SecureString)
azure-kv://<vault>/secrets/<name>	secret-azure	Azure Key Vault REST API

Each backend spawns a dedicated OS thread with its own Tokio runtime to avoid nested-runtime panics at startup.

Testing

• Unit tests: env var interpolation, secrets file deep-merge, loading via config key and env var
• End-to-end tested: Vault ✅, AWS SSM ✅, Azure KV ✅

[Manuthor]

Thanks for this!

Only a partial review.
Could you rebase please?

[Manuthor]

We should also support our own KMS server for storing this kind of config files secrets and support another URI scheme for a Cosmian KMS