feat(v1.1.7-crypto): master-key infra + encryption helpers

Add picloud_shared::crypto: AES-256-GCM encrypt/decrypt envelope
(12-byte CSPRNG nonce, 128-bit tag appended to ciphertext) plus a
MasterKey sourced from PICLOUD_SECRET_KEY (base64 of 32 bytes), with
a deterministic dev-key fallback gated on PICLOUD_DEV_MODE=true. Unset
key without dev mode is fatal. Key rotation is out of v1.1.7 scope.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/shared/Cargo.toml

@@ -21,6 +21,10 @@ tokio = { workspace = true, features = ["sync"] }
 hmac.workspace = true
 sha2.workspace = true
 base64.workspace = true
+# AES-256-GCM envelope + master-key sourcing (v1.1.7 crypto module).
+aes-gcm.workspace = true
+rand.workspace = true
+tracing.workspace = true
 
 [dev-dependencies]
 tokio = { workspace = true, features = ["macros", "rt", "rt-multi-thread", "time", "sync"] }