Roadmap: expand external fallback providers (KeePassXC, pass)

[jmcte]

Context

README.md lines 113-129 document a reduced-security --external-fallback path that today supports only 1password and bitwarden. Operators on KeePassXC, pass (passwordstore.org), or other CLI-driven managers have no supported fallback when the native broker is unavailable.

The fallback path is already explicit (callers must pass --external-fallback, payloads are tagged securityMode: "reduced_external_cli", no caching) so the security model extends naturally.

Proposed Fix

• Add keepassxc and pass as supported fallbackProvider values in ~/.apw/config.json.
• Reuse the validated absolute-path execution model (Validate external provider fallback paths #33, Bound external fallback provider execution #32) so no new attack surface is introduced.
• Document the per-provider invocation and limitations in README.md and docs/SECURITY_POSTURE_AND_TESTING.md.

Acceptance criteria

• apw login --external-fallback <url> works against KeePassXC and pass with documented setup.
• Fallback payloads remain tagged transport: "external_cli" / securityMode: "reduced_external_cli".
• Provider-specific failure modes (locked vault, missing entry, multiple matches) map to typed APW errors.
• No credential caching introduced.