feat: Add credential lifecycle management — key rotation, revocation, and versioning

[imran-siddique]

Problem

AgentMesh issues Ed25519 credentials but has no mechanism for key rotation, certificate revocation, or credential versioning. TTL/expiry exists (stateless.py) with lazy checking, but that's reactive only — no proactive lifecycle management.

A compromised agent credential has no kill path short of redeploying the entire mesh.

Evidence from Code Audit

• CredentialExpiredError exception exists (exceptions.py line 101-105) but only for TTL expiry
• keystore.py generates and stores keys but has no rotate(), revoke(), or refresh() methods
• No key versioning — no history of rotated keys
• No revocation list (CRL equivalent) for agent credentials
• Expiry is reactive: entries expire on read, not proactively monitored

Proposed Solution

1. Key Rotation: Add keystore.rotate(agent_id) that generates new keypair, archives old key with version number, and updates trust cards
2. Revocation: Add keystore.revoke(agent_id, key_version) that adds key to revocation list; verification checks revocation before accepting signatures
3. Key Versioning: Store (key, version, created_at, expires_at, revoked_at) tuples
4. Proactive Expiry: Background task or middleware that flags credentials approaching expiry
5. Rotation Policy: Configurable auto-rotation interval per agent class

Acceptance Criteria

• rotate() generates new key, archives old one, bumps version
• revoke() invalidates a specific key version
• Signature verification checks revocation list
• Key history queryable by agent_id
• Auto-rotation policy configurable via YAML
• Unit tests for full rotation/revocation lifecycle

/cc @imran-siddique

[imran-siddique]

Rotation (KeyRotationManager) and revocation (RevocationList) implementations already existed. PR #85 wires revocation into CardRegistry.is_verified() so revoked agent DIDs now fail verification immediately. 16 tests cover the integration.