Secrets now encrypted to three recipients:
- vultr_vps: server SSH host key (primary)
- admin: workstation key (local editing)
- recovery: offline key at ~/.config/sops/age/recovery.key
If server dies and admin key unavailable, recovery key can
still decrypt secrets to bootstrap restore.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
