heypi keeps secrets out of chat and the model context, but they rest plaintext-readable in the runtime workspace

What this changes for operators

• The secret_request flow encrypts secrets client-side (WebCrypto) so they are not stored as chat history and is not sent to the model -- a genuine win over pasting credentials into a channel. But the docs are equally explicit that secrets land as scoped runtime files (.secrets/<name>) and Anyone who can read the scoped runtime workspace can read saved secrets.
• Do not treat heypi's secret handoff as a vault. Restrict who and what can read the runtime workspace (and choose a sandboxed runtime accordingly), and remember pending secret requests are lost on process restart.