Add optional encrypted Vault Mode for private storage

[imissapixel]

Summary

This PR adds an optional client-side encrypted Vault Mode alongside the existing Telegram Drive storage flow.

Normal Drive remains the default behavior. It continues to use Saved Messages and [TD] Telegram channel folders, and its existing command path is unchanged.

Vault Mode introduces a separate encrypted storage backend selected after Telegram login. It stores encrypted file blobs and encrypted manifest snapshots in a private Telegram channel named TelegramVault, while keeping vault metadata and folder structure inside the encrypted manifest.

Technical Changes

Storage Mode Selection

• Adds a post-login storage mode selector:
  • Normal Drive: uses the existing Saved Messages / [TD] channel-based storage flow.
  • Encrypted Vault: opens a local vault create/unlock flow before entering the dashboard.

Vault Backend

Adds a Rust vault backend with:

• Argon2id password-based unlock key derivation.
• Random vault master key wrapped by the derived unlock key.
• Per-file random encryption keys wrapped by the vault master key.
• XChaCha20-Poly1305 authenticated encryption for file chunks.
• Associated data binding for:
  • vault headers
  • manifests
  • file keys
  • encrypted chunks
• Encrypted local manifest snapshots.
• Remote encrypted manifest uploads to TelegramVault.
• Local decrypted cache for previews and streaming, cleared on vault lock/logout.

Vault Commands

Adds a separate vault command path:

• cmd_vault_create
• cmd_vault_unlock
• cmd_vault_lock
• cmd_vault_get_files
• cmd_vault_upload_file
• cmd_vault_download_file
• cmd_vault_delete_file
• cmd_vault_move_files
• cmd_vault_create_folder
• cmd_vault_delete_folder
• cmd_vault_scan_folders
• cmd_vault_search_global
• cmd_vault_get_preview
• cmd_vault_get_thumbnail

Dashboard Routing

Makes the existing dashboard mode-aware:

• Query keys include the selected storage mode.
• Upload/download queues use mode-specific store keys.
• File listing, search, move, delete, preview, thumbnail, PDF handling, and media streaming route to the correct command set.
• Existing plain-drive commands are preserved for Normal Drive.

Local Stream Server

Extends the local stream server:

• Existing /stream/{folder_id}/{message_id} behavior remains unchanged for Normal Drive.
• Vault streaming uses mode=vault.
• Vault blobs are decrypted into the local vault cache before being served through the existing authenticated local stream endpoint.

Documentation

• Updates the README with an Encrypted Vault Mode section.
• Adds screenshots for the Vault Mode flow.

Security Notes

• Telegram receives only encrypted file blobs and encrypted vault metadata for Vault Mode.
• Vault file names, logical folders, and file metadata are stored inside the encrypted manifest.
• Vault folders are manifest records, not Telegram channels.
• The vault password is never stored.
• Decrypted files may temporarily exist in the local vault cache for preview and streaming support.
• The local decrypted cache is cleared on vault lock/logout.
• Fresh-device vault restore/import is intentionally out of scope for this PR.
• Vault configuration is currently local-device based.

Out of Scope

• Fresh-device vault restore/import.
• Cross-device vault synchronization.
• Password recovery or password reset.
• Migration from Normal Drive into Vault Mode.
• Shared or multi-user vaults.

Verification

• cargo check
• cargo test
• npm run build

Manual smoke tests:

• Normal Drive login/list/upload/download/preview flow.
• Vault create/unlock flow.
• Vault upload/list/download/preview flow.
• Vault lock/logout clears decrypted cache.
• Mode switching routes commands correctly.
• Mode switching does not replace, mutate, or regress existing Saved Messages drive behavior.