Config file path settings treat '~' literally instead of expanding HOME

[GuthL]

Summary

~/.keyclaw/config.toml examples currently encourage ~-prefixed paths for proxy.ca_cert, vault.path, detection.gitleaks_config, audit.path, and hook log paths, but the runtime stores those values literally instead of expanding them against HOME.

Evidence

• src/config.rs:276-283, src/config.rs:321-339: file-backed path settings are copied straight into the runtime config with no home expansion.
• src/config.rs:611-622: audit.path is parsed with PathBuf::from(trimmed), which also preserves a literal leading ~.
• src/hooks.rs:198-209: hook log paths are cloned directly from config.
• docs/configuration.md:23-82 and README.md:349-404 both show ~-prefixed config examples today.

Why this matters

Users who copy the documented config examples can end up with KeyClaw looking for files relative to the working directory or writing logs into a literal ~ path instead of their home directory.

Suggested scope

• Expand leading ~ for config-file path settings consistently before storing them in Config / hook actions.
• Add regression coverage for proxy.ca_cert, vault.path, detection.gitleaks_config, audit.path, and [[hooks]].path.
• Keep the docs aligned with the actual supported path forms.