feat: add Bitwarden secrets integration

[bussyjd]

Summary

• Add obol agent secrets bitwarden setup|status|disable for Hermes Bitwarden Secrets Manager sync; status reports only Obol-managed config and Kubernetes Secret key presence.
• Wire host-managed Hermes and Agent CRD child agents to render Hermes' native secrets.bitwarden config with optional hermes-env Secret injection.
• Keep the Obol Bitwarden surface thin: runtime fetching, install, cache, and env application stay in Hermes; Obol only shells out to bws secret list for obol model setup --api-key-source bitwarden so provider keys can be validated and written to LiteLLM.
• Match Hermes defaults by leaving server_url unset unless the operator specifies an EU Cloud or self-hosted endpoint; OpenClaw Bitwarden wiring is not supported.

Validation

• Checked against Hermes' native Bitwarden config, env loader, and secret-source implementation.
• python3 -m py_compile internal/embed/skills/agent-factory/scripts/factory.py
• git diff --check
• go test ./cmd/obol ./internal/hermes ./internal/serviceoffercontroller ./internal/embed ./internal/agentcrd ./internal/model ./internal/monetizeapi -count=1

Note: go test ./... -count=1 currently fails in internal/stack at TestWarnIfNoChatModel_EmitsWarnWhenNoModels; the isolated test fails the same way on this checkout and the changed files do not touch internal/stack.