Seed encryption at rest (Argon2id + ChaCha20-Poly1305) + HW wallet plan

keystore.rs:
- Passphrase prompted on init (hidden input, echo disabled)
- Empty passphrase = plaintext (for testing/scripting)
- Encrypted format: MAGIC("WZS1") + salt(16) + nonce(12) + ciphertext(48)
- Argon2id for key derivation (memory-hard, GPU-resistant)
- ChaCha20-Poly1305 AEAD for encryption
- Backwards compatible: auto-detects plaintext vs encrypted on load
- Keys zeroized after use

DESIGN.md:
- Added hardware wallet section (Ledger/Trezor via USB/BT HID)
- Ed25519 signing delegated to device, seed never exported
- BIP44 derivation path m/44'/1234'/0'
- Phase 2 feature, protocol unchanged

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

warzone/crates/warzone-client/Cargo.toml

@@ -24,5 +24,6 @@ hex.workspace = true
 base64.workspace = true
 x25519-dalek.workspace = true
 bincode.workspace = true
+libc = "0.2"
 uuid.workspace = true
 chrono.workspace = true