Fix Rust backend: secrets to keychain, status recovery, shutdown, dedup

- Move git_token and Bedrock credentials to OS keychain instead of
  storing in plaintext projects.json via skip_serializing + keyring
- Fix project status stuck in Starting on container creation failure
  by resetting to Stopped on any error path
- Add granular store methods to reduce TOCTOU race window
- Add auth_mode, project path, and bedrock config change detection
  to container_needs_recreation with label-based fingerprinting
- Fix mutex held across async Docker API call in exec resize by
  cloning exec_id under lock then releasing before API call
- Add graceful shutdown via on_window_event to clean up exec sessions
- Extract compute_env_fingerprint and merge_claude_instructions helpers
  to eliminate code duplication in container.rs
- Remove unused thiserror dependency
- Return error instead of falling back to CWD when data dir unavailable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/src-tauri/src/models/project.rs

@@ -17,6 +17,7 @@ pub struct Project {
     pub bedrock_config: Option<BedrockConfig>,
     pub allow_docker_access: bool,
     pub ssh_key_path: Option<String>,
+    #[serde(skip_serializing)]
     pub git_token: Option<String>,
     pub git_user_name: Option<String>,
     pub git_user_email: Option<String>,
@@ -76,10 +77,14 @@ impl Default for BedrockAuthMethod {
 pub struct BedrockConfig {
     pub auth_method: BedrockAuthMethod,
     pub aws_region: String,
+    #[serde(skip_serializing)]
     pub aws_access_key_id: Option<String>,
+    #[serde(skip_serializing)]
     pub aws_secret_access_key: Option<String>,
+    #[serde(skip_serializing)]
     pub aws_session_token: Option<String>,
     pub aws_profile: Option<String>,
+    #[serde(skip_serializing)]
     pub aws_bearer_token: Option<String>,
     pub model_id: Option<String>,
     pub disable_prompt_caching: bool,