Store app secrets in encrypted blob

[cursor]

Summary

• Replaces per-secret keychain storage for app API keys with one keychain-backed data key plus one AES-256-GCM encrypted secrets blob in the app data directory.
• Adds in-memory decrypted secret caching so repeated reads in one app session do not re-touch keychain.
• Migrates existing settings.json plaintext values and legacy per-key keychain items into the blob, then cleans up old items when migration completes.
• Clears the encrypted blob from the developer clear-state action and updates the E2E storage-bypass contract assertion.

Resolves ENG-521

Test Plan

• cargo +stable test -p nixmac storage -- --nocapture (blocked after compiling the new storage/crypto code by existing Linux app entrypoint compile errors in main.rs / peek.rs: missing hidden_title, RunEvent::Reopen, bool deref, and -D unused on window)
• node tools/computer-use-e2e/peekaboo-workflow-contract-self-test.mjs (blocked by an existing workflow assertion about root dependency/Nix/devenv path triggers before reaching the updated storage assertion)
• git diff --check HEAD~1..HEAD

Docs

• Docs updated (companion PR in darkmatter/nixmac-web: #___)
• No docs update needed

  

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

[github-actions]

	Warnings
⚠️	PR is marked WIP / draft — do not merge until ready for review.
⚠️	Please assign this PR to someone (usually yourself).
⚠️	❗ Big PR (564 lines changed). Consider splitting it into smaller, focused changes.

📋 PR Overview

Lines changed	564 (+547 / -17)
Files	1 added, 7 modified, 0 deleted
Draft / WIP	yes
Has Test Plan	yes
New UI components	no
New Storybook stories	no
New Rust modules	yes (1)
New TS source files	no
New tests	no
package.json touched	no
Cargo.toml touched	yes
Infra / CI touched	no

🔬 Coverage

Report	Lines	Statements	Functions	Branches
apps/native/coverage/coverage-summary.json	17.9%	17.9%	31.0%	54.1%

Generated by 🚫 dangerJS against 4ffd7e6