Encrypt or externalize network share credentials

[blinkerbit]

Source: gitlab-issues-export.md (Issue 3)

Weight: 5

Problem / context

network_shares in aird/db/schema.py stores credentials as plaintext TEXT. DB file compromise exposes SMB/WebDAV passwords.

Suggested approach / acceptance criteria

• Design app-level encryption (server key from env) or OS/keyring integration; document key rotation.
• Migration path for existing rows.
• Tests for round-trip and denial when key missing.