Fix: Issue #14 wallet exports no longer write plaintext

[Enniwealth]

Summary

Closes #14

Wallet exports no longer write plaintext secret keys to disk. starforge wallet export now always encrypts the full backup JSON into a v2 envelope, even when individual wallets were created without --encrypt.

• Always-encrypted exports: The wallet JSON payload is encrypted with Argon2 key derivation and AES-256-GCM before being written to the output file.
• v2 backup envelope: Exported files use a structured JSON envelope with version, backup_id (UUID v4), encrypted_payload, kdf_params, and an HMAC-SHA256 integrity tag over the ciphertext.
• Strict passphrase by default: Export enforces strong passphrases (zxcvbn "Strong" or better) unless --no-strict is passed.
• Backward-compatible import: starforge wallet import --file detects v2 envelopes and decrypts them. Legacy v1 plaintext JSON and colon-separated encrypted backups still work but emit deprecation warnings recommending re-export.
• Network path warning: A warning is printed when the export output path appears to be on a network-mounted filesystem.

v2 backup file format

{
  "version": "2",
  "backup_id": "<uuid-v4>",
  "encrypted_payload": "<base64(nonce || aes-gcm-ciphertext)>",
  "kdf_params": {
    "salt": "<base64>",
    "mem": 19456,
    "iterations": 2,
    "parallelism": 1
  },
  "hmac": "<base64(hmac-sha256)>"
}