vars/password-store: replace passBackend option with passPackage

The `clan.core.vars.settings.passBackend` option has been replaced with
`clan.vars.password-store.passPackage` to provide better type safety and
clearer configuration.

Changes:
- Remove problematic mkRemovedOptionModule that caused circular dependency
- Add proper option definition with assertion-based migration
- Users setting the old option get clear migration instructions
- Normal evaluation continues to work for users not using the old option

Migration: Replace `clan.core.vars.settings.passBackend = "passage"`
with `clan.vars.password-store.passPackage = pkgs.passage`

nixosModules/clanCore/vars/secret/password-store.nix

@@ -62,6 +62,13 @@ in
         location where the tarball with the password-store secrets will be uploaded to and the manifest
       '';
     };
+    passPackage = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.pass;
+      description = ''
+        Password store package to use. Can be pkgs.pass for GPG-based storage or pkgs.passage for age-based storage.
+      '';
+    };
   };
   config = {
     clan.core.vars.settings =
@@ -76,7 +83,7 @@ in
                 else if file.config.neededFor == "services" then
                   "/run/secrets/${file.config.generatorName}/${file.config.name}"
                 else if file.config.neededFor == "activation" then
-                  "${config.clan.password-store.secretLocation}/activation/${file.config.generatorName}/${file.config.name}"
+                  "${config.clan.vars.password-store.secretLocation}/activation/${file.config.generatorName}/${file.config.name}"
                 else if file.config.neededFor == "partitioning" then
                   "/run/partitioning-secrets/${file.config.generatorName}/${file.config.name}"
                 else