docs: add comprehensive API reference documentation

Creates new API.md with complete API reference including:
- Architecture and encryption model documentation
- Installation and configuration guides
- Authentication methods and API endpoints
- Go package API documentation
- Error codes and code examples
- License tier information

Also updates README.md to reference the new API documentation.

README.md

@@ -200,50 +200,6 @@ curl -X DELETE \
   https://gitcaddy.example.com/api/v1/repos/owner/repo/vault/secrets/prod.database.password
 ```
 
-### Lockbox API (E2E Encrypted Secrets)
-
-Lockbox secrets require client-side encryption before upload and client-side decryption after retrieval. Use our SDKs for simplified lockbox operations.
-
-**Create Lockbox Secret (using SDK):**
-```go
-// Go SDK
-client := vault.NewClient("https://gitcaddy.example.com", token)
-err := client.CreateLockbox(ctx, "prod.master-key", "super-secret-value", "my-passphrase")
-```
-
-```typescript
-// TypeScript SDK
-const client = new VaultClient('https://gitcaddy.example.com', token);
-await client.createLockbox('prod.master-key', 'super-secret-value', 'my-passphrase');
-```
-
-```python
-# Python SDK
-client = VaultClient('https://gitcaddy.example.com', token)
-client.create_lockbox('prod.master-key', 'super-secret-value', 'my-passphrase')
-```
-
-**Get Lockbox Secret:**
-```go
-// Go SDK
-value, err := client.GetLockbox(ctx, "prod.master-key", "my-passphrase")
-```
-
-**Raw API (manual encryption):**
-```bash
-# The value must be pre-encrypted in lockbox:v1:... format
-curl -X PUT \
-  -H "Authorization: Bearer $VAULT_TOKEN" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "name": "prod.master-key",
-    "value": "lockbox:v1:BASE64_SALT:BASE64_ENCRYPTED_DATA",
-    "encryption_mode": "lockbox",
-    "type": "key-value"
-  }' \
-  https://gitcaddy.example.com/api/v1/repos/owner/repo/vault/secrets/prod.master-key
-```
-
 ### CI/CD Integration
 
 **GitHub Actions / Gitea Actions:**