secretsCommand: not parsed or executed

[bilby91]

Gap

The spec field `secretsCommand` is not present in `config/raw.go` and has no execution path. Containers needing host-derived secrets (auth tokens, GPG keys) cannot use the spec mechanism.

Expected

Per spec: `secretsCommand` runs on the host before container start and exposes its stdout (key=value lines) as environment variables to the container — analogous to `initializeCommand` but with output capture.

Steps

1. Add `SecretsCommand` to `rawConfig` and `ResolvedConfig`.
2. Run host-side via the same `HostExecutor` interface that initializeCommand: HostExecutor wiring on EngineOptions #11 introduces for `initializeCommand`.
3. Capture stdout, parse key=value, merge into `ContainerEnv` before `buildRunSpec`.
4. Document the security implications (host code execution, credential exposure) — opt-in with a clear knob, like `initializeCommand`.

Dependency

Best landed alongside #11 (HostExecutor) since both share the host-execution surface.