Master KEK status check false-positives for non-local (Transit) wraps

Problem

The "PDV: Master KEK" status-report check (RequirementsHook::masterKeyIsUsable()) hardcodes the local-wrap test strlen(getKeyValue()) === 32. A Master KEK handled by a non-local wrap -- e.g. the vault_transit (OpenBao/Vault Transit) wrap, whose key value is the Transit key name and not 32 raw bytes -- always fails it, so the report shows "N of N tenant Master KEK(s) unusable" even when sealing/unsealing works fine. (Confirmed: a vault_transit Master KEK has a 10-byte value, so both tenants are wrongly flagged.)

Fix

• Add isUsable(string $masterKeyId): bool to MasterKeyWrapInterface, with a default in MasterKeyWrapBase (the key resolves), overridden by Local (32-byte check) and VaultTransit (Transit key reachable) -- so genuine "backend unreachable" detection is kept, but per wrap.
• RequirementsHook resolves the wrap by the Master KEK's key type (reusing the existing wrap selection) and delegates to isUsable() instead of hardcoding 32 bytes.

Test coverage

The gap that let this through: no test exercised the check with a non-local wrap. Add a kernel test using the existing TestRecordingWrap (which claims a non-local key type whose key is not 32 bytes), asserting the check reports OK for it and Error when the wrap reports unusable.