security: remove all REDACTED secrets from repo, add pre-commit guard

- Delete 26 secret manifests containing REDACTED placeholder values
  (15 cert-manager TLS + 11 app secrets across 8 namespaces)
- REDACTED is valid base64 that decodes to non-UTF-8 bytes — ArgoCD
  applying these manifests corrupts live secrets in the cluster
- Add .githooks/pre-commit that rejects any .yaml with REDACTED
- Add README.md documenting secret management policy and manual
  creation commands for each service
- n8n secret manifests already fixed in previous commits (618b1e8, db04fd2)

openclaw/secret-openclaw-tls.yaml

@@ -1,21 +0,0 @@
-apiVersion: v1
-data:
-  tls.crt: REDACTED
-  tls.key: REDACTED
-kind: Secret
-metadata:
-  annotations:
-    cert-manager.io/alt-names: openclaw.chemavx.xyz
-    cert-manager.io/certificate-name: openclaw-tls
-    cert-manager.io/common-name: openclaw.chemavx.xyz
-    cert-manager.io/ip-sans: ''
-    cert-manager.io/issuer-group: cert-manager.io
-    cert-manager.io/issuer-kind: ClusterIssuer
-    cert-manager.io/issuer-name: letsencrypt-prod
-    cert-manager.io/uri-sans: ''
-  labels:
-    controller.cert-manager.io/fao: 'true'
-  name: openclaw-tls
-  namespace: openclaw
-type: kubernetes.io/tls
-

openclaw/secret-openclaw-token.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-data:
-  OPENCLAW_TOKEN: REDACTED
-kind: Secret
-metadata:
-  name: openclaw-token
-  namespace: openclaw
-type: Opaque
-