Add Secret Injection Middleware proposal

Introduces a design proposal for dynamic secret fetching and injection
into MCP proxy requests using HashiCorp Vault or other secret providers.

This proposal addresses the need for per-user credential isolation when
backend services use static authentication (API keys, tokens) rather than
OAuth/OIDC. While ToolHive's existing token exchange middleware handles
OAuth-compatible backends, many legacy APIs and SaaS tools require static
credentials that should be:

- Stored securely in centralized secret managers (Vault, AWS Secrets Manager)
- Isolated per user or tenant for proper attribution and audit trails
- Fetched dynamically at request time based on user identity

Key design elements:
- Generic SecretFetcher interface with Vault as primary implementation
- Uses JWT authentication to Vault for per-user secret access
- Integrates with existing middleware chain after token exchange
- HTTP-only Vault client to avoid BSL 1.1 licensing concerns
- Phased delivery: static paths (Phase 1), Go templating (Phase 2)
- Supports both CLI flags and Kubernetes CRD configuration
- Complementary to existing pkg/secrets (startup-time workload secrets)

The proposal includes:
- Three concrete use cases (Algolia admin keys, multi-tenant SaaS, secure storage)
- Detailed Vault setup instructions with security controls
- Comparison with existing pkg/secrets system
- Testing strategy for unit, integration, and operator tests

Affected components:
- docs/proposals/ - New proposal document

Refs: THV-2063 (token exchange middleware)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: jhrozek