Add team vault sharing (encrypted sync) #59
Description
Summary
Enable teams to share placeholder↔secret mappings via encrypted vault sync, so KeyClaw can work consistently across multiple developers on the same project.
Motivation
Currently KeyClaw is a single-machine tool. Each developer's vault is independent, meaning the same secret produces different placeholders on different machines. For teams collaborating on AI-assisted codebases, shared mappings would ensure consistent behavior and enable shared context.
Design considerations
- Sync mechanism: git-crypt, age-encrypted files, SOPS, or a custom sync protocol
- Key management: Shared team key vs. per-user keys with re-encryption
- Conflict resolution: Merge strategy for concurrent vault updates
- Scope: Per-project vault overrides vs. global vault sharing
- Security: Team vault must not weaken the single-user security model
Open questions
- Should this be a separate vault layer (project-level) on top of the existing machine-local vault?
- What's the right key distribution mechanism for teams?
- Should this integrate with existing secret managers (Vault, AWS Secrets Manager)?
Acceptance criteria
- Design document covering sync protocol, key management, and conflict resolution
- Implementation of chosen approach
- Documentation for team setup workflow
- No regression to single-user security model