feat: migrate API keys to Obsidian SecretStorage (keychain)

[logancyang]

Summary

• Adds design doc (docs/KEYCHAIN_MIGRATION.md) for migrating all API keys and tokens from data.json to Obsidian's native SecretStorage API (OS keychain)
• Covers upgrade path: existing keys auto-migrate to keychain on first load, data.json fields cleared, one-time notice shown
• Deprecates the broken encryptionService.ts (hardcoded Web Crypto key + cross-platform failures)
• Documents the MarkdownRenderer breaking change from the required Obsidian API bump (1.2.5 → 1.12.2)

Key decisions

• Keychain only — no dual-write, no toggle. Simple single code path.
• One-time migration — decrypt legacy enc_ values, write to keychain, clear data.json. Idempotent.
• No sync — keys are device-local (same model as SSH keys, 1Password). Users re-enter on other devices once.
• All reads become synchronous — getDecryptedKey (async) replaced by keychain.getProviderKey() (sync)

Test plan

• Review design doc for completeness and correctness
• Implementation follows in subsequent PRs

🤖 Generated with Claude Code