feat: 添加 Local Vault 加密存储服务

AES-256-GCM 加密 vault，支持 OS keychain 和加密文件回退，
scrypt KDF 密钥派生，64KB secret 上限。

Co-Authored-By: glm-5-turbo <zai-org@claude-code-best.win>

src/utils/sanitizeId.ts

@@ -0,0 +1,14 @@
+/**
+ * Sanitize an ID for use in error messages.
+ *
+ * Security invariant: full IDs (vault_id, credential_id, agent_id, etc.) must
+ * not appear in error messages as they may be leaked into logs, bug reports,
+ * or user-facing text. Expose only the first 8 characters.
+ *
+ * H3: single source of truth extracted from the 4 P2 API client files
+ * (vaultsApi, agentsApi, memoryStoresApi, skillsApi).
+ */
+export function sanitizeId(id: string): string {
+  if (id.length <= 8) return id
+  return `${id.slice(0, 8)}…`
+}