feat: update all Docker Compose files for Vision primary with WIF auth (refs #127)

- Switch OCR engine config to google_vision primary / paddleocr fallback
- Mount Auth0 OCR secrets and WIF config into all OCR containers
- Add WIF config to repo (not a secret, contains no credentials)
- Remove obsolete google-vision-key.json.example

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

secrets/app/google-vision-key.json.example

@@ -1,18 +0,0 @@
-{
-  "_comment": "Google Vision API service account key for OCR cloud fallback",
-  "_instructions": [
-    "1. Create a Google Cloud service account with Vision API access",
-    "2. Download the JSON key file",
-    "3. Save it as secrets/app/google-vision-key.json (gitignored)",
-    "4. Uncomment the volume mount in docker-compose.yml",
-    "5. Set OCR_FALLBACK_ENGINE=google_vision"
-  ],
-  "type": "service_account",
-  "project_id": "your-project-id",
-  "private_key_id": "",
-  "private_key": "",
-  "client_email": "your-sa@your-project-id.iam.gserviceaccount.com",
-  "client_id": "",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://oauth2.googleapis.com/token"
-}

secrets/app/google-wif-config.json

@@ -0,0 +1,14 @@
+{
+  "universe_domain": "googleapis.com",
+  "type": "external_account",
+  "audience": "//iam.googleapis.com/projects/487954699429/locations/global/workloadIdentityPools/motovaultpro-pool/providers/auth0-provider",
+  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+  "token_url": "https://sts.googleapis.com/v1/token",
+  "credential_source": {
+    "executable": {
+      "command": "/app/scripts/fetch-auth0-token.sh",
+      "timeout_millis": 30000
+    }
+  },
+  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/mvp-svc-account@motovaultpro.iam.gserviceaccount.com:generateAccessToken"
+}