feat: add Vaultwarden password manager stack

Added self-hosted password manager to The Falcon infrastructure:

**Vault Stack** (vault.pivoine.art):
- Vaultwarden (Bitwarden-compatible server)
- SQLite database for password storage
- WebSocket support for real-time sync
- TOTP and WebAuthn/U2F 2FA support
- Browser extensions and mobile apps compatible

**Configuration:**
- Domain: https://vault.pivoine.art
- Signups: Disabled (invite-only for security)
- Invitations: Enabled
- Password hints: Disabled (security best practice)
- First user becomes admin

**Backup Integration:**
- Added vaultwarden-backup plan to Restic
- Schedule: 8 AM daily (same as letsencrypt)
- Retention: 7 daily, 4 weekly, 12 monthly, 3 yearly
- Backup volume: vault_data mounted read-only

**Infrastructure Updates:**
- Created vault/compose.yaml following stack pattern
- Added VAULT_* environment variables to arty.yml
- Updated compose.yaml to include vault stack
- Added backup_vaultwarden_data volume to restic
- Updated restic/config.json with 12th backup plan

**Documentation:**
- Added Vault to CORE SYSTEMS in README
- Added to ship architecture diagram
- Documented in CLAUDE.md with configuration details
- Updated volume management sections
- Backup count increased from 11 to 12 plans

Critical data backed up with long retention (3 years yearly).
Compatible with official Bitwarden clients on all platforms.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

README.md

@@ -52,6 +52,7 @@ The **Falcon** is a state-of-the-art containerized starship, powered by Docker's
 | **N8N** | *Automated workflow command center* | [n8n.pivoine.art](https://n8n.pivoine.art) |
 | **STASH** | *Universal file management portal* | [stash.pivoine.art](https://stash.pivoine.art) |
 | **LINKS** | *Interstellar bookmark archive* | [links.pivoine.art](https://links.pivoine.art) |
+| **VAULT** | *Encrypted password vault* | [vault.pivoine.art](https://vault.pivoine.art) |
 | **RESTIC** | *Automated backup vault system* | [restic.pivoine.art](https://restic.pivoine.art) |
 | **PROXY** | *Shield control dashboard* | [proxy.pivoine.art](https://proxy.pivoine.art) |
 | **VPN** | *Cloaking device network* | [vpn.pivoine.art](https://vpn.pivoine.art) |
@@ -204,6 +205,7 @@ THE FALCON (falcon_network)
 │  ├─ n8n Workflows      [n8n.pivoine.art]
 │  ├─ Filestash Files    [stash.pivoine.art]
 │  ├─ Linkwarden Marks   [links.pivoine.art]
+│  ├─ Vaultwarden Vault  [vault.pivoine.art]
 │  ├─ Backrest Backups   [restic.pivoine.art]
 │  └─ WireGuard VPN      [vpn.pivoine.art]
 │
@@ -218,6 +220,7 @@ THE FALCON (falcon_network)
    ├─ filestash_data     → File manager state
    ├─ linkwarden_data    → Bookmark archives
    ├─ meili_data         → Search index database
+   ├─ vaultwarden_data   → Encrypted password vault
    ├─ backrest_data      → Backup system state
    ├─ backrest_config    → Backup configurations
    └─ letsencrypt_data   → Shield certificates