Add --param-secret flag to plan run

[daniel-de-vera]

Summary

• Adds --param-secret param-name=secret-name to signadot plan run, wiring a new Secrets map[string]string into PlanExecutionSpec so plan params can be bound to org secrets at execution time (without decrypted values ever touching the plan_executions row or API responses).
• Rejects overlap between --param and --param-secret for the same key locally; other validations (unknown param, missing secret) are handled server-side.
• Bumps go-sdk to pick up PlanExecutionSpec.Secrets.

Related: signadot/signadot#6904

Test plan

• signadot plan run PLAN --param-secret api-key=my-secret → execution created, response shows secrets: {api-key: my-secret} (name, not value)
• signadot plan run PLAN --param x=1 --param-secret x=my-secret → fails locally with param "x" appears in both --param and --param-secret; specify only one
• signadot plan run PLAN --param-secret unknown=my-secret → server rejects with 400 (key must match a declared plan param)
• signadot plan run PLAN --param-secret api-key=nonexistent → server rejects with 400 (secret not found)
• Action script receives decrypted value via context/api-key, same as a literal param

🤖 Generated with Claude Code

[scott-cotton]

LGTM

[daniel-de-vera]

@scott-cotton, I renamed --secret to --param-secret (as Ani suggested).
Merging now.