feat: add disable_kek_mode and rotate_kek methods with security audit

Add methods for KEK mode management:
- disable_kek_mode(): Remove KEK protection, return to password-only mode
  for migration to KeePassXC or other KeePass applications
- rotate_kek(): Regenerate KEK and re-wrap for specified devices, use
  after revoking a device to invalidate old backups

Security improvements from audit:
- Add runtime warning when enrolling first device (KeePassXC incompatibility)
- Remove device count from error messages (information leakage)
- Add version forward-compatibility check for unknown CR versions
- Fix bug where disable_kek_mode didn't clear challenge_response_provider

Include comprehensive security audit report from 6 specialized agents
covering cryptographic security, memory safety, API design, attack
surface, ecosystem compatibility, and test coverage.

Author: coreyleavitt