feat: wire TPM-backed encrypted template storage into auth pipeline

Replace plain TemplateStore with SecureTemplateStore in the auth
service. Templates are now encrypted with AES-256-GCM via TPM2 when
available, falling back to software encryption with PBKDF2 key
derivation (600k iterations) otherwise.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

linux-hello-daemon/src/main.rs

@@ -14,6 +14,7 @@ use linux_hello_common::{Config, Result, TemplateStore};
 use linux_hello_daemon::auth::AuthService;
 use linux_hello_daemon::dbus_server::{check_system_bus_available, DbusServer};
 use linux_hello_daemon::ipc::IpcServer;
+use linux_hello_daemon::secure_template_store::SecureTemplateStore;
 use tracing::{error, info, warn, Level};
 use tracing_subscriber::FmtSubscriber;
 
@@ -62,8 +63,8 @@ async fn main() -> Result<()> {
     // Initialize authentication service
     let template_path = std::env::var("LINUX_HELLO_TEMPLATES")
         .map(std::path::PathBuf::from)
-        .unwrap_or_else(|_| TemplateStore::default_path());
-    
+        .unwrap_or_else(|_| SecureTemplateStore::default_path());
+
     let auth_service = AuthService::with_paths(config.clone(), template_path.clone());
     auth_service.initialize()?;
     info!("Authentication service initialized (Templates: {})", template_path.display());
@@ -72,7 +73,7 @@ async fn main() -> Result<()> {
     let socket_path = std::env::var("LINUX_HELLO_SOCKET")
         .map(std::path::PathBuf::from)
         .unwrap_or_else(|_| IpcServer::default_socket_path());
-    
+
     let mut ipc_server = IpcServer::new(socket_path.clone());
 
     // Set authentication handler