fix: round 1 — perf, dedup, security, optimizations

[pszymkowiak]

Summary — Review Round 1 (4 parallel passes)

Performance (8 fixes)

• hex_encode: replaced format!-per-byte with hex::encode()
• Eliminated double file read in backup (hash computed from chunks)
• Batched SQLite writes with explicit transactions
• Release profile: LTO, codegen-units=1, strip
• Single DB lock pass for chunk info in S3 GET
• Concurrent replica uploads via futures::join_all()
• Cached list_providers() in proxy startup
• O(n²) → O(1) HashSet dedup in GC and chunk ref counting

Code Duplication (-108 lines net)

• Removed duplicate base64 encode/decode from aws_secretsmanager + azure_vault (used base64 crate)
• Default trait methods for upload_manifest/download_manifest in StorageProvider
• Removed unused decrypt_provider_creds dead code

Security

• Removed credential logging (access key prefix)
• Replaced all remaining guarded .unwrap() with if let Some/expect
• Improved GCS error matching robustness

Optimizations

• Concurrent replica uploads (3x faster backup with multi-cloud)
• Single-pass DB lock for chunk downloads (reduces lock contention)
• Cached provider list during startup (eliminates redundant DB queries)

Test results

73 tests pass, 0 failures. Clippy clean, fmt clean.