fix: idempotent provider/sandbox upsert + per-provider credential vault

[mafueee]

Summary

Resolves three critical deployment failures and implements persistent API key management.

Fixed Issues

1. Provider Type Conflict — updateProvider rejected when provider type was included. ensureProvider() now handles this idempotently: checks existing type, omits type on updates, and does delete+recreate when type changes.

2. Unsupported Inference Provider — setClusterInference was passing raw provider names instead of mapped types. Fixed to use mapProviderToGrpcType consistently.

3. Sandbox UNIQUE Constraint — createSandbox failed when sandbox already existed. ensureSandbox() catches the UNIQUE constraint error and does delete+recreate.

4. API Key Persistence — Added per-provider credential vault at ~/.nemoclaw/credentials.json. Users configure each provider's key once; all future deploys auto-fill from the vault.

Files Changed

File	Change
gui/server/lib/grpcClient.js	Added ensureProvider() and ensureSandbox() helpers
gui/server/index.js	Credential vault (load/save/restore at startup) + updated deployment endpoints
gui/server/routes/claws.js	Claw creation uses ensureProvider/ensureSandbox
gui/src/components/inference/InferenceConfig.tsx	Sends apiKey on save for vault persistence
gui/src/api/client.ts	Added apiKey to InferenceConfigData interface
test/grpc-client.test.js	Added ensureProvider/ensureSandbox to exports check
README.md	Documented credential vault and idempotent helpers

Testing

• 22 unit tests pass
• Frontend builds successfully
• Server starts and responds to health checks