Add SecurityTier enum and PBKDF2 key derivation to crypto module

[Copilot]

ZeroEnvCrypto lacked a typed security tier abstraction and required callers to pre-derive keys externally. This adds first-class tier support directly on the class, along with salt serialization helpers.

crypto.py

• SecurityTier(str, Enum) — standard | enhanced | max; inherits str so existing string-based callers are unaffected
• ZeroEnvCrypto.__init__ — now accepts optional tier and salt; standard tier (default) is a no-op derivation, preserving backward compatibility
• _derive_key() — private instance method; delegates to existing derive_key() static method using instance state
• salt_to_string() / string_to_salt() — base64 encode/decode pair for salt persistence, parallel to existing key_to_string()/string_to_key()

# Standard tier — unchanged behaviour
crypto = ZeroEnvCrypto(master_key)

# Enhanced/max — key derivation happens inside __init__
salt = ZeroEnvCrypto.generate_salt()
crypto = ZeroEnvCrypto(master_key, tier=SecurityTier.enhanced, salt=salt)
# or equivalently with a plain string
crypto = ZeroEnvCrypto(master_key, tier='enhanced', salt=salt)

# Salt persistence
stored = ZeroEnvCrypto.salt_to_string(salt)   # → base64 str
recovered = ZeroEnvCrypto.string_to_salt(stored)  # → bytes

test_crypto.py

• TestSecurityTierEnum — enum values, string equality, construction from value
• TestZeroEnvCryptoInitWithTier — per-tier init, missing-salt error paths, SecurityTier enum acceptance, encrypt/decrypt roundtrips, cross-tier incompatibility
• TestSaltConversionMethods — type checks, roundtrip equality, valid base64 output