Migrate to proper secret passing using OpenHands SDK pattern

[rbren]

Summary

This PR migrates the CVE demo from using environment variable exports to properly passing secrets using the OpenHands SDK's conversation.update_secrets() method, following the pattern demonstrated in openhands/software-agent-sdk/examples/01_standalone_sdk/12_custom_secrets.py.

Problem

Previously, the code was trying to pass GITHUB_TOKEN to agents by exporting it as an environment variable in the workspace:

def setup_git_environment(self):
    github_token = os.getenv('GITHUB_TOKEN')
    if github_token:
        self.workspace.execute_command(f"export GITHUB_TOKEN={github_token}")

This approach had several issues:

• Environment variable exports don't persist properly across workspace commands
• It's not the recommended way to handle secrets in OpenHands SDK
• It doesn't follow the patterns shown in the software-agent-sdk examples

Solution

Now using the proper OpenHands SDK pattern:

def create_agent_conversation(self, secrets: Optional[Dict[str, str]] = None) -> tuple[Agent, Conversation]:
    # ... create agent and conversation ...
    if secrets:
        conversation.update_secrets(secrets)
    return agent, conversation

Changes Made

Core Changes

• Updated BaseAgent.create_agent_conversation(): Now accepts optional secrets parameter and uses conversation.update_secrets()
• Replaced setup_git_environment(): Removed the problematic method and replaced with get_github_token() helper
• Updated agent usage: Both CVE scanner and solver now properly pass GITHUB_TOKEN as a secret

Documentation & Examples

• Added SECRETS_MIGRATION.md: Comprehensive documentation explaining the migration
• Added example_secrets_usage.py: Demonstration script showing the new pattern

Benefits

1. Proper Secret Handling: Secrets are now passed securely using OpenHands SDK's built-in mechanism
2. Follows Best Practices: Aligns with software-agent-sdk examples
3. Better Security: No need to export sensitive tokens as environment variables
4. Reliability: Secrets are guaranteed to be available to agents during execution
5. Maintainability: Cleaner code following established patterns

Testing

• ✅ All modified files compile without syntax errors
• ✅ Created and ran test script to verify secret passing works correctly
• ✅ Example script demonstrates the new functionality

Files Changed

• src/agents/base_agent.py: Updated conversation creation with secrets support
• src/agents/cve_scanner.py: Updated to use new secret passing pattern
• src/agents/cve_solver.py: Updated to use new secret passing pattern
• SECRETS_MIGRATION.md: Added comprehensive migration documentation
• example_secrets_usage.py: Added demonstration script

The agents will continue to work exactly as before from a user perspective, but now use the proper OpenHands SDK pattern for handling secrets securely.

@rbren can click here to continue refining the PR