Issue #3594027: Vault lifecycle hardening (reap re-keyed leftovers, erase declined offers, reject expired approvals)

Frank Mablyrequested to merge
issue/pdv-3594027:3594027-vault-lifecycle-hardening into 1.x

Three vault-lifecycle correctness fixes from an audit, one commit each, plus a docs commit. All carry kernel-test regression guards (verified failing without the fix).

  1. Reap items left by an interrupted purge after the key is re-created. reapCryptoErasedItems() also reaps items whose created predates their realm's current Subject KEK, so leftovers from an interrupted purge are not stranded once a returning owner's write re-creates the key.
  2. Crypto-erase a store offer's pending file on the generic decline. GrantManager::denyRequest() (the operator decline path) now erases the offer's sealed file instead of orphaning the ciphertext.
  3. Refuse to approve an expired store offer. approveOffer() re-checks isExpired() after the lock/reload.

The fourth commit documents the pdv_eca + Easy Email notification recipe (folded in here to avoid a separate issue).

Issue: https://www.drupal.org/project/pdv/issues/3594027

Merge request reports