Extract `credential::resolve` from dfe-fetcher into shared module

[kazmosahebi]

Background

dfe-fetcher has a credential-resolution helper at src/credential.rs that
parses three spec formats and resolves them to plaintext values:

• vault:path:key — fetches from OpenBao/Vault via hyperi_rustlib::secrets
• env:VAR_NAME — reads from the environment
• any other string — used literally

This pattern is now needed in dfe-loader (see hyperi-io/dfe-loader#56)
so the loader's loader.yaml can reference env vars for ClickHouse credentials
via env:CLICKHOUSE_USERNAME / env:CLICKHOUSE_PASSWORD. Future services will
likely want it too.

Proposal

Extract the resolver into a new hyperi_rustlib::credential module:

• pub async fn resolve(spec: &str) -> Result<String, CredentialError>
• pub async fn resolve_optional(spec: Option<&str>) -> Result<Option<String>, CredentialError>
• new CredentialError enum (variants: MissingEnvVar, Vault, BadSpec)
• re-export at the crate root: pub use credential::{resolve, resolve_optional, CredentialError};

No new dependencies — the vault path already uses hyperi_rustlib::secrets.

Scope

Only the resolution helpers move. TokenManager, http_client,
http_client_with_timeout stay in dfe-fetcher (fetcher-specific).

Downstream

• dfe-fetcher switches its credential module to re-export from rustlib.
  Existing 8 call-sites (source/{aws,azure,gcp,m365}/mod.rs) keep
  use crate::credential unchanged.
• dfe-loader adopts it for ClickHouse credentials (hyperi-io/dfe-loader#56).

Acceptance

• hyperi_rustlib::credential::resolve resolves all three spec formats
• Existing dfe-fetcher tests pass against the new location
• dfe-fetcher compiles and its credential tests still pass
• Docs added to the module