feat(kryphos): add fjall-backed vault storage with advisory locking

[forkwright]

Summary

• Implement Vault struct backed by fjall for encrypted credential CRUD
• create/open with Argon2id key derivation and ChaCha20-Poly1305 key check verification
• add/get/list/remove for credential management, each entry individually encrypted
• Advisory file locking (fs2) to prevent concurrent vault access
• 10 tests covering all acceptance criteria: round-trip, wrong passphrase rejection, duplicate detection, persistence, concurrent open detection

Test plan

• Vault::create + Vault::open round-trip works
• add → get returns original secret
• list returns metadata without decrypted secrets
• remove deletes the entry
• Wrong passphrase on open returns error (not garbage data)
• Concurrent open fails with lock error
• cargo fmt --all -- --check passes
• cargo clippy --workspace --all-targets -- -D warnings passes
• cargo test --workspace passes (307 tests, 0 failures)

Observations

• Debt: Two SALT_LEN constants exist (vault::SALT_LEN = 16, crypto::SALT_LEN = 32). The vault header used 16-byte salts; the new storage module uses 32-byte salts from crypto::generate_salt(). Should unify. (crates/kryphos/src/vault.rs:12, crates/kryphos/src/crypto.rs:14)
• Idea: DecryptedEntry.secret is a plain Vec<u8>. Consider wrapping in zeroize::Zeroizing<Vec<u8>> so secrets are cleared on drop.

🤖 Generated with Claude Code

[github-actions]

⚠️ Large PR detected — 6 files, 780 lines changed.

Consider splitting into smaller PRs for easier review. Not a blocker, just a signal.