[Security] Secure key storage with platform keychain integration

[bbopen]

Summary

Encryption keys are currently stored as plaintext JSON files on disk. Keys should be protected using platform-native secure storage (macOS Keychain, Windows DPAPI, Linux Secret Service) with a password-derived fallback.

Problem

In core/gateways/file/key-bag-file.ts, encryption keys are saved as plaintext JSON. Anyone with file system access can read these keys and decrypt the database.

Proposed Solution

1. Add optional keychain adapter dependencies (@perkse/keytar, argon2-browser)
2. Create keychain adapter interface at core/keybag/keychain-adapter.ts
3. Implement platform-specific adapters:
   • macOS Keychain
   • Windows DPAPI
   • Linux Secret Service
4. Implement password-derived fallback with Argon2id
5. Create SecureKeystoreService at core/keybag/secure-keystore.ts
6. Implement transparent migration from plaintext keys

Expected Outcomes

• Keys never stored as plaintext on disk
• Keys integrate with platform keychain when available
• Fallback to password-derived encryption when keychain unavailable
• Existing plaintext keys migrated transparently

Dependencies

This should be implemented after removing the storekey=insecure bypass.