Add a config set-app-secret command so users and agents can rotate a
profile's app secret after resetting it on the open platform, instead of
hacking the OS keychain (which fails because the stored value lives in a
closed secure store). The command reads the new value from stdin, previews
the target and exits 10 without --yes, verifies the value via FetchTAT
before writing, stores it through core.ForStorage (the same primitive as
config init and config bind), and leaves other profiles untouched. It also
redirects the invalid_client hint to the new command and adds an optional
target field to the error envelope so the affected bot is named without
exposing the secret.