feat: replace plaintext key storage with OWS encrypted vault

Private keys are no longer stored in the clear in config.json. All
key material is managed by the Open Wallet Standard (OWS) encrypted
vault (AES-256-GCM, scrypt KDF).

- Add `ows_id` field to Config — immutable UUID referencing OWS wallet
- Add `src/ows.rs` — OWS backend via `ows-lib` crate (3 tests)
- `wallet create` generates keys directly in OWS vault
- `wallet import` imports keys into OWS vault
- `resolve_key` decrypts from OWS vault when `ows_id` is present
- Legacy plaintext `private_key` field still read as fallback

Author: kevarifin14