PRD-24b: Cloud KMS Providers — AWS, GCP, Azure, Vault Transit

[PancheI]

Implement cloud KMS providers for envelope encryption. Core IKmsProvider/IShareStore interfaces and LocalFileKmsProvider already shipped (#17).

Splits off the remaining cloud provider work from the original PRD-24.

Acceptance Criteria

• AwsKmsProvider — AWS KMS Encrypt/Decrypt with CMK ARN
• GcpKmsProvider — GCP Cloud KMS Encrypt/Decrypt with key resource name
• AzureKmsProvider — Azure Key Vault wrapKey/unwrapKey
• VaultTransitProvider — HashiCorp Vault Transit engine encrypt/decrypt
• KmsModule with provider factory — KMS_PROVIDER env var selects backend
• docker-compose.yml makes Vault optional via Docker Compose profiles
• Migration tool converts existing Vault KV shares to envelope format
• Health check reports KMS provider status (provider-agnostic)
• Provider tests for AWS, GCP, Azure, Vault Transit (mocked SDKs)
• Full integration test with each provider
• pnpm build succeeds across all packages

Tasks

• Implement AwsKmsProvider (aws-sdk v3 @aws-sdk/client-kms)
• Implement GcpKmsProvider (@google-cloud/kms)
• Implement AzureKmsProvider (@azure/keyvault-keys)
• Implement VaultTransitProvider (HTTP API to Vault Transit)
• Create KmsModule with provider factory + env var selection
• Update docker-compose.yml — Vault as optional profile
• Create migration tool (Vault KV → envelope format)
• Write provider unit tests (mocked SDK clients)
• Write integration tests per provider
• Update health controller for provider-agnostic KMS status

Context

Depends on core interfaces from #17 (closed, shipped):

• IKmsProvider — encrypt(plaintext) → EncryptedEnvelope, decrypt(envelope) → plaintext
• IShareStore — storeShare(signerId, share), loadShare(signerId) → share
• EncryptedEnvelope — { ciphertext, iv, tag, kmsKeyId, kmsProvider }
• LocalFileKmsProvider — reference implementation for dev/testing