feat: secure mode

[andrinoff]

What?

1. Cache directory separation** — Moved all cache files from ~/.config/matcha/ to ~/.cache/matcha/ with automatic one-time migration for existing installations. Fixes BUG: Cache should not be in ~/.config #385

2. Email body caching — Email bodies and attachment metadata are now cached to disk per-folder. Opening a previously viewed email loads instantly from cache instead of fetching from the server. Stale entries are pruned when folder emails are refreshed.

3. Optional password-based encryption — All data (config + caches) can be encrypted with a user-chosen password. Uses AES-256-GCM with Argon2id key derivation. The password is never stored anywhere — the user enters it each session. A sentinel phrase verifies correctness. When enabled, account passwords are stored inside the encrypted config instead of the OS keyring.

Why?

• Cache files don't belong in ~/.config/ — they're ephemeral and should follow XDG conventions (~/.cache/)
• Email body fetching was always a network round-trip, even for previously read emails
• Users who want privacy need a way to protect their email data at rest without relying on OS-level encryption or keyrings