feat(docker-watcher): phase 2 - crypto & config seed loader

AES-256-GCM encryption for credential storage, YAML seed config
parser with validation, and transactional import into SQLite.
Credentials (registry tokens, NPM password) encrypted before storage.

cmd/server/main.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/alexei/docker-watcher/internal/config"
 	"github.com/alexei/docker-watcher/internal/store"
 )
 
@@ -23,6 +24,12 @@ func main() {
 	}
 	defer db.Close()
 
+	// Import seed config on first launch (idempotent — skipped if DB has data).
+	seedPath := envOrDefault("SEED_FILE", "./docker-watcher.yaml")
+	if err := config.ImportSeed(db, seedPath); err != nil {
+		log.Fatalf("seed import: %v", err)
+	}
+
 	fmt.Printf("Docker Watcher started. Database: %s\n", dbPath)
 
 	// Future phases will wire up the HTTP server, deployer, poller, etc.