config: add secret_source=metadata mode and ${secret:NAME} interpolation

Phase C Cloud tenants need to fetch the provider API key from the host
metadata gateway instead of reading process.env. The loader now supports
two modes: the existing default secret_source: env continues to read
process.env unchanged, and the new secret_source: metadata fetches the
named secret from http://169.254.169.254/v1/secrets/<name>, populates
process.env.ANTHROPIC_API_KEY and ANTHROPIC_AUTH_TOKEN, and walks the
parsed config replacing ${secret:NAME} references with their resolved
plaintext. Self-host installs that omit secret_source see no behaviour
change. Whole-string interpolation only, so partial-string references
in URLs and other composed values are intentionally left untouched to
avoid leaking plaintext through any code path that logs the original
string. Adds MetadataSecretFetcher (60s TTL cache, ETag/If-None-Match
against X-Phantom-Rotation-Id) and updates two callers (src/index.ts,
src/cli/doctor.ts) to await the now-async loadConfig. The original
sync code path is preserved as loadConfigSync for any context that
genuinely cannot await.

Author: mcheemaa

src/agent/__tests__/prompt-assembler.test.ts

@@ -9,7 +9,8 @@ const baseConfig: PhantomConfig = {
 	port: 3100,
 	role: "swe",
 	model: "claude-opus-4-6",
-	provider: { type: "anthropic" },
+	provider: { type: "anthropic", secret_name: "provider_token" },
+	secret_source: "env",
 	effort: "max",
 	max_budget_usd: 0,
 	timeout_minutes: 240,

src/cli/doctor.ts

@@ -90,7 +90,7 @@ async function checkConfig(): Promise<CheckResult> {
 	}
 	try {
 		const { loadConfig } = await import("../config/loader.ts");
-		const config = loadConfig();
+		const config = await loadConfig();
 		return { name: "Config", status: "ok", message: `${config.name} (${config.role}, port ${config.port})` };
 	} catch (err: unknown) {
 		const msg = err instanceof Error ? err.message : String(err);