feat(#357): Add OpenBao to Docker Compose with turnkey setup

Implements secure credential storage using OpenBao Transit encryption.

Features:
- Auto-initialization on first run (1-of-1 Shamir key for dev)
- Auto-unseal on container restart with verification and retry logic
- Transit secrets engine with 4 named encryption keys
- AppRole authentication with Transit-only policy
- Localhost-only API binding for security
- Comprehensive integration test suite (22 tests, all passing)

Security:
- API bound to 127.0.0.1 (localhost only, no external access)
- Unseal verification with 3-attempt retry logic
- Sanitized error messages in tests (no secret leakage)
- Volume-based secret reading (doesn't require running container)

Files:
- docker/openbao/config.hcl: Server configuration
- docker/openbao/init.sh: Auto-init/unseal script
- docker/docker-compose.yml: OpenBao and init services
- tests/integration/openbao.test.ts: Full test coverage
- .env.example: OpenBao configuration variables

Closes #357

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.example

@@ -101,6 +101,14 @@ JWT_EXPIRATION=24h
 # SECURITY: Store production keys in a secure secrets manager (see docs/design/credential-security.md)
 ENCRYPTION_KEY=REPLACE_WITH_64_CHAR_HEX_STRING_GENERATE_WITH_OPENSSL_RAND_HEX_32
 
+# ======================
+# OpenBao Secrets Management
+# ======================
+# OpenBao provides Transit encryption for sensitive credentials
+# Auto-initialized on first run via openbao-init sidecar
+OPENBAO_ADDR=http://openbao:8200
+OPENBAO_PORT=8200
+
 # ======================
 # Ollama (Optional AI Service)
 # ======================