fix: Restore all files lost during destructive rebase

A previous `git pull --rebase origin main` dropped 177 local commits,
losing 3400+ files across admin-v2, backend, studio-v2, website,
klausur-service, and many other services. The partial restore attempt
(660295e2) only recovered some files.

This commit restores all missing files from pre-rebase ref 98933f5e
while preserving post-rebase additions (night-scheduler, night-mode UI,
NightModeWidget dashboard integration).

Restored features include:
- AI Module Sidebar (FAB), OCR Labeling, OCR Compare
- GPU Dashboard, RAG Pipeline, Magic Help
- Klausur-Korrektur (8 files), Abitur-Archiv (5+ files)
- Companion, Zeugnisse-Crawler, Screen Flow
- Full backend, studio-v2, website, klausur-service
- All compliance SDKs, agent-core, voice-service
- CI/CD configs, documentation, scripts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.vault.yml

@@ -0,0 +1,98 @@
+# HashiCorp Vault Configuration for BreakPilot
+#
+# Usage:
+#   Development mode (unsealed, no auth required):
+#     docker-compose -f docker-compose.vault.yml up -d vault
+#
+#   Production mode:
+#     docker-compose -f docker-compose.vault.yml --profile production up -d
+#
+# After starting Vault in dev mode:
+#   export VAULT_ADDR=http://localhost:8200
+#   export VAULT_TOKEN=breakpilot-dev-token
+#
+# License: HashiCorp Vault is BSL 1.1 (open source for non-commercial use)
+#          Vault clients (hvac) are Apache-2.0
+
+services:
+  # HashiCorp Vault - Secrets Management
+  vault:
+    image: hashicorp/vault:1.15
+    container_name: breakpilot-pwa-vault
+    ports:
+      - "8200:8200"
+    environment:
+      # Development mode settings
+      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_DEV_TOKEN:-breakpilot-dev-token}
+      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
+      VAULT_ADDR: "http://127.0.0.1:8200"
+      VAULT_API_ADDR: "http://0.0.0.0:8200"
+    cap_add:
+      - IPC_LOCK  # Required for mlock
+    volumes:
+      - vault_data:/vault/data
+      - vault_logs:/vault/logs
+      - ./vault/config:/vault/config:ro
+      - ./vault/policies:/vault/policies:ro
+    command: server -dev -dev-root-token-id=${VAULT_DEV_TOKEN:-breakpilot-dev-token}
+    healthcheck:
+      test: ["CMD", "vault", "status"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+    networks:
+      - breakpilot-pwa-network
+    restart: unless-stopped
+
+  # Vault Agent for automatic secret injection (production)
+  vault-agent:
+    image: hashicorp/vault:1.15
+    container_name: breakpilot-pwa-vault-agent
+    profiles:
+      - production
+    depends_on:
+      vault:
+        condition: service_healthy
+    environment:
+      VAULT_ADDR: "http://vault:8200"
+    volumes:
+      - ./vault/agent-config.hcl:/vault/config/agent-config.hcl:ro
+      - vault_agent_secrets:/vault/secrets
+    command: agent -config=/vault/config/agent-config.hcl
+    networks:
+      - breakpilot-pwa-network
+    restart: unless-stopped
+
+  # Vault initializer - Seeds secrets in development
+  vault-init:
+    image: hashicorp/vault:1.15
+    container_name: breakpilot-pwa-vault-init
+    depends_on:
+      vault:
+        condition: service_healthy
+    environment:
+      VAULT_ADDR: "http://vault:8200"
+      VAULT_TOKEN: ${VAULT_DEV_TOKEN:-breakpilot-dev-token}
+    volumes:
+      - ./vault/init-secrets.sh:/vault/init-secrets.sh:ro
+    entrypoint: ["/bin/sh", "-c"]
+    command:
+      - |
+        sleep 5
+        chmod +x /vault/init-secrets.sh
+        /vault/init-secrets.sh
+        echo "Vault initialized with development secrets"
+    networks:
+      - breakpilot-pwa-network
+
+volumes:
+  vault_data:
+    name: breakpilot_vault_data
+  vault_logs:
+    name: breakpilot_vault_logs
+  vault_agent_secrets:
+    name: breakpilot_vault_agent_secrets
+
+networks:
+  breakpilot-pwa-network:
+    external: true