Add vault migrate command to move secrets between vaults

Problem

When a user stores sensitive field values in one vault (e.g. a local_encryption vault) and later wants to move to a different vault backend (e.g. AWS Secrets Manager), there is no migration path. Data records contain vault references with the vault name baked in (e.g. ${{ vault.get('my-local-vault', 'key') }}), so switching vaults requires manually copying every secret AND rewriting every data record's vault expressions.

This becomes especially important with the upcoming sensitive field auto-vaulting work (swamp-club #9), where users may start with an auto-created local_encryption vault and later want to upgrade to a cloud vault for production use.

Proposed Solution

Add a swamp vault migrate <from-vault> <to-vault> command that:

• Lists all keys in the source vault via vaultService.list()
• Copies each secret to the target vault via vaultService.get() / vaultService.put()
• Rewrites vault reference expressions in all data records from vault.get('from-vault', ...) to vault.get('to-vault', ...)
• Optionally cleans up the source vault after successful migration

Changes would be needed in:

• New CLI command (vault_migrate.ts)
• VaultService: a migration method that orchestrates the copy
• Data layer: scan and rewrite vault expressions in persisted data records
• Vault reference expression utilities in data_writer.ts

The approach would iterate over all data artifacts, detect vault reference strings matching the source vault name, resolve and re-store them in the target vault, then update the expressions in-place.