feat(crypto): named-var key loaders (admin/agent) + NewDEK

Replace KeyFromEnv with AgentKeyFromEnv/AdminKeyFromEnv reading EMCLI_KEY
and EMCLI_ADMIN_KEY; add NewDEK for envelope encryption. Seal/Open double
as DEK wrap/unwrap.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

internal/crypto/crypto.go

@@ -7,28 +7,41 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"io"
 	"os"
 )
 
-var (
-	ErrNoKey  = errors.New("EMCLI_KEY is not set")
-	ErrBadKey = errors.New("EMCLI_KEY must be base64 of exactly 32 bytes")
-)
-
-// KeyFromEnv reads and validates the AES-256 key from EMCLI_KEY.
-func KeyFromEnv() ([]byte, error) {
-	raw := os.Getenv("EMCLI_KEY")
+// keyFromEnv reads and validates a base64-encoded 32-byte AES key from the
+// named environment variable. Errors name the variable so callers get a
+// role-appropriate message.
+func keyFromEnv(varName string) ([]byte, error) {
+	raw := os.Getenv(varName)
 	if raw == "" {
-		return nil, ErrNoKey
+		return nil, fmt.Errorf("%s is not set", varName)
 	}
 	key, err := base64.StdEncoding.DecodeString(raw)
 	if err != nil || len(key) != 32 {
-		return nil, ErrBadKey
+		return nil, fmt.Errorf("%s must be base64 of exactly 32 bytes", varName)
 	}
 	return key, nil
 }
 
+// AgentKeyFromEnv reads the agent KEK from EMCLI_KEY (agent commands only).
+func AgentKeyFromEnv() ([]byte, error) { return keyFromEnv("EMCLI_KEY") }
+
+// AdminKeyFromEnv reads the admin KEK from EMCLI_ADMIN_KEY (all commands).
+func AdminKeyFromEnv() ([]byte, error) { return keyFromEnv("EMCLI_ADMIN_KEY") }
+
+// NewDEK returns a fresh random 32-byte data-encryption key.
+func NewDEK() ([]byte, error) {
+	dek := make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, dek); err != nil {
+		return nil, err
+	}
+	return dek, nil
+}
+
 func newGCM(key []byte) (cipher.AEAD, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {