add default sandbox_labels to rlm-secrets

[snimu]

Description

Add default sandbox_labels to the rlm-secrets environment.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Test improvement

Testing

• All existing tests pass when running uv run pytest locally.
• New tests have been added to cover the changes

Checklist

• My code follows the style guidelines of this project as outlined in AGENTS.md
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

---

Note

Low Risk
Low risk: small, localized change to environment construction that only affects sandbox labeling and adds input validation; main behavior is unchanged unless callers passed invalid sandbox_labels.

Overview
The rlm-secrets environment now always adds a default "rlm-secrets" entry to sandbox_labels, validates that any provided sandbox_labels is list[str], and deduplicates labels before passing them into RLMSecretsEnv.

Bumps the package version to 0.1.1 and documents the change in the README changelog.

^{Written by Cursor Bugbot for commit 9dcf7c3. This will update automatically on new commits. Configure here.}