Issue #3594042: Master KEK wrap plugin type and pdv_vault (OpenBao/Vault Transit) submodule

Frank Mablyrequested to merge
issue/pdv-3594042:3594042-openbao-transit-backed-master into 1.x

Implements the pluggable Master KEK wrap mechanism and the pdv_vault submodule from #3594042.

pdv core: new MasterKeyWrap plugin type; the default local plugin holds the existing local-AEAD wrapping, and SubjectKeyManager dispatches by the Master KEK Key's type (native rewrap when source and target share a mechanism, unwrap-then-wrap across mechanisms). MasterKeyOptions offers keys of any claimed type.

pdv_vault: vault_transit wrap plugin plus the pdv_vault_transit Key type, calling Transit directly over HTTP; owner-binding via a derived key and per-call context.

Tests: a kernel test covers the dispatch, local fallback, selector eligibility, and both rotation paths (verified to fail without the dispatch). The Transit calls were validated live against OpenBao.

Docs: a new handbook page, plus installation/roadmap/submodules updates. phpcs and phpstan clean.

Merge request reports