fix(security): encrypt app secrets at rest with AES-256-GCM (#6)

Encrypt three sensitive secrets that were stored in plaintext: OIDC client_secret, SMTP smtp_password, TOTP totp_secret. AES-256-GCM via pm-core::crypto helper. New per-install key at /etc/patch-manager/keys/secret-encryption.key, separate from health-check.key for blast-radius isolation. MASKED placeholder behavior in API responses is preserved.

23 files changed, +1248 / -28. Closes #6.

Cargo.toml

@@ -8,6 +8,7 @@ members = [
     "crates/pm-auth",
     "crates/pm-ca",
     "crates/pm-reports",
+    "crates/migrate-secrets",
 ]
 
 [workspace.package]