feat(#353): Create VaultService NestJS module for OpenBao Transit

Implements secure credential encryption using OpenBao Transit API with
automatic fallback to AES-256-GCM when OpenBao is unavailable.

Features:
- AppRole authentication with automatic token renewal at 50% TTL
- Transit encrypt/decrypt with 4 named keys
- Automatic fallback to CryptoService when OpenBao unavailable
- Auto-detection of ciphertext format (vault:v1: vs AES)
- Request timeout protection (5s default)
- Health indicator for monitoring
- Backward compatible with existing AES-encrypted data

Security:
- ERROR-level logging for fallback
- Proper error propagation (no silent failures)
- Request timeouts prevent hung operations
- Secure credential file reading

Migrations:
- Account encryption middleware uses VaultService
- Uses TransitKey.ACCOUNT_TOKENS for OAuth tokens
- Backward compatible with existing encrypted data

Tests: 56 tests passing (36 VaultService + 20 middleware)

Closes #353

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.example

@@ -109,6 +109,12 @@ ENCRYPTION_KEY=REPLACE_WITH_64_CHAR_HEX_STRING_GENERATE_WITH_OPENSSL_RAND_HEX_32
 OPENBAO_ADDR=http://openbao:8200
 OPENBAO_PORT=8200
 
+# AppRole Authentication (Optional)
+# If not set, credentials are read from /openbao/init/approle-credentials volume
+# These env vars are useful for testing or when running outside Docker
+# OPENBAO_ROLE_ID=your-role-id-here
+# OPENBAO_SECRET_ID=your-secret-id-here
+
 # ======================
 # Ollama (Optional AI Service)
 # ======================