b2e11ff1fe
Close the remaining "secrets touch a plaintext file" gap. The unattended restart mode now SEALS the operator-chosen wallet password to the host with `systemd-creds encrypt` (ciphertext at rest, read via LoadCredentialEncrypted, decrypted into a tmpfs credentials dir at each start), so no plaintext wallet key is written to disk. When systemd-creds is unavailable it falls back to the legacy root-owned 0400 plaintext file with a loud warning, and re-running `setup --reconfigure` once it is available upgrades to encryption. - wizard: seal via systemd-creds (injectable for tests), write the encrypted.conf drop-in, keep the manual.conf tmpfs path unchanged; reconfiguring a till that keeps no readable password on disk (encrypted or manual) now prompts for the existing password to reopen the wallet. - startup: loud deprecation warning when a money secret (GP_MNEMONIC, GP_WALLET_PASSWORD, GP_NSEC) is supplied INLINE rather than via a *_FILE or systemd credential; the value is never logged, only the variable name. - docs: README, .env.example, install.sh, and the systemd unit updated to the encrypted-at-rest default and the honest fallback/trade-off. Tests: gp-core config + gp-core/gp-server setup cover the inline-secret warning, the encrypted drop-in, the sealed-vs-plaintext shapes, and encrypted reconfigure. Full workspace suite green; fmt introduces no new drift; clippy -D warnings clean on the workspace crates.