Closes #740

Summary

This adds support for a private YAML overlay file that is merged into the main input before Pydantic validation:

rendercv render cv.yaml --secrets secrets.yaml
The overlay is intentionally general-purpose, so users can keep public-safe mock values in their committed CV YAML and replace any subset of fields locally, such as cv.email, cv.phone, or cv.location, without breaking schema validation or watch mode.

Implementation

• Adds secrets_yaml_file support to the model-building pipeline.
• Deep-merges the secrets YAML into the already-loaded input before validation.
• Tracks validation errors from values supplied by the secrets file as secrets_yaml_file, so errors point at the private overlay when applicable.
• Adds --secrets to rendercv render and includes the secrets file in watch-mode input tracking.
• Keeps CLI field overrides higher priority than the secrets overlay.

Testing

Passing locally:

uv run pytest tests/schema/test_rendercv_model_builder.py tests/cli/render_command/test_run_rendercv.py tests/cli/render_command/test_render_command.py -q
uv run --frozen --all-extras ty check src tests

Note: uv run --frozen --all-extras prek run --all-files may fail on current main because of the pre-commit/ty version mismatch handled separately in #744. The remaining failure is unrelated to this feature branch.

Non-goals / Security note

This is not a secret manager. The file is only read locally and merged before validation; users should keep it git-ignored.