Add provider API-key import path as an additional usage data source

[newbish]

Objective

Allow a workspace to ingest usage data from a user-supplied provider API key in addition to the Hermes/plugin-fed rollup path.

Why

Right now the product assumes one import path. We also need to support cases where a user can supply an API key and let the app pull usage directly. If both sources exist, we should retain both instead of pretending they are the same thing.

Scope

• Add a secure configuration path for a workspace-level provider API key
• Define how the app pulls usage data from that provider using the key
• Store imported records with explicit source attribution
• Prevent duplicate counting when Hermes/plugin imports and provider-key imports overlap
• Keep the ingestion contract extensible so more than one source can coexist

Tasks

• Extend the schema to represent usage source (hermes_plugin, provider_api_key, etc.)
• Add encrypted or secret-backed storage for a provider API key reference
• Build a sync/import path that fetches usage from the provider API
• Normalize provider responses into the canonical ingestion model
• Add idempotency/deduplication rules across multiple sources
• Document precedence/merge behavior when both data sources cover the same time range

Acceptance criteria

• A workspace can store or reference a provider API key safely
• The system can import usage with no Hermes plugin input at all
• Imported records clearly retain source attribution
• Overlapping imports do not blindly double count usage
• The ingestion model remains compatible with the existing Hermes plugin path

Notes

This should build on Slice 2 rather than fork it. The main design question is source-of-truth and reconciliation, not just adding another fetch job.