Add secret-store config references spec

[ChristianPavilonis]

Summary

• Adds a design spec for secret-store backed config references from Add secret-store backed config references for secret values #684.
• Captures the narrowed v1 scope from the design discussion: refs plus provisioning/runtime policy, no generation or handler IDs.
• Documents local inline-secret support and production provisioning rejection of inline secrets.

Changes

File	Change
docs/superpowers/specs/2026-05-19-secret-store-config-references-design.md	Adds the proposal/spec for secret-store backed config refs, Fastly provider behavior, runtime resolution semantics, provisioning validation, and acceptance criteria.

Closes

Closes #714
Related #684

Test plan

• cargo test --workspace --exclude trusted-server-cli
• cargo test --package trusted-server-cli --target "$(rustc -vV | sed -n 's/^host: //p')"
• cargo clippy --workspace --exclude trusted-server-cli --all-targets --all-features -- -D warnings
• cargo clippy --package trusted-server-cli --target "$(rustc -vV | sed -n 's/^host: //p')" --all-targets -- -D warnings
• cargo fmt --all -- --check
• JS tests: cd crates/js/lib && npx vitest run
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format -- superpowers/specs/2026-05-19-secret-store-config-references-design.md
• WASM build: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
• Manual testing via fastly compute serve
• Other: docs-only change; Rust/JS/runtime checks not run.

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code — use expect("should ...")
• Uses log macros (not println!)
• New code has tests
• No secrets or credentials committed