feat(kryphos): add vault CLI — init, add, list, get, rotate, revoke, identity

[forkwright]

Summary

• Add vault subcommand group to the akroasis CLI with full credential CRUD and lifecycle operations
• Wire kryphos vault API into CLI: init, add, list, get, rotate, revoke, identity
• Secure passphrase input via rpassword (no terminal echo), double-confirmation on init

Subcommands

Command	Description
vault init	Create new vault, prompt for passphrase (confirm twice)
vault add <name> --type <type>	Store encrypted credential (api-key, psk, certificate, radio-key, custom:label)
vault list	Show entries with status, type, created/rotated dates (no secrets)
vault get <name>	Decrypt and display secret
vault rotate <name>	Prompt for new secret value
vault revoke <name>	Mark as revoked with y/N confirmation
vault identity	Show installation public key fingerprint (hex-encoded)

Test plan

• CLI argument parsing tests for all 7 subcommands
• Credential type parser tests (all variants + invalid input)
• Integration tests with temp vault (init, add/get round-trip, list, rotate, revoke)
• Identity fingerprint format validation
• cargo fmt --all -- --check passes
• cargo clippy --workspace --all-targets -- -D warnings passes
• cargo test --workspace passes (357 tests, 0 failures)

Observations

• Debt: run_identity generates a fresh ephemeral identity each call rather than reading the vault's sealed identity. The vault currently has no public API to retrieve its sealed InstallationIdentity after creation. A future PR should add Vault::identity() to unseal and return the stored keypair.
• Missing test: No end-to-end test for the full CLI dispatch path (would require mocking stdin for rpassword). Consider adding a dispatch_with pattern (like radio module) that accepts a passphrase provider trait.

🤖 Generated with Claude Code

[github-actions]

⚠️ Large PR detected — 6 files, 569 lines changed.

Consider splitting into smaller PRs for easier review. Not a blocker, just a signal.