Validate vault encryption key using CapabilitiesRegistry

[timothyF95]

Summary

• Verify encryption key against CapabilitiesRegistry when RPC is available: EncryptSecrets still fetches the vault master TDH2 public key from the gateway (publicKey/get). When CapabilitiesRegistry RPC is configured in project.yaml, the CLI also reads the on-chain key from the tenant registry (vault@1.0.0 on the resolved vault DON) and fails if they do not match. With no RPC configured, encryption continues using the gateway key only.
• Remove the temporary vaultValidationGateEnabled bypass and all related test skips so vault validation tests run unconditionally.
• Update unit and integration tests: mock gateway + CapabilitiesRegistry resolver for encrypt/compare paths, deploy a minimal cap reg on Anvil for the secrets happy path (RPC + compare), restore publicKey/get in the gateway mock, and fix GraphQL test mocks to use the correct anvil-devnet chain selector.