fix(security): timelock identity registry changes in CLPc

[boris]

Vulnerability

High risk: single-key admin could instantly switch identityRegistry in CLPc.

If admin key is compromised/misused, an attacker can point token policy to a malicious registry immediately.

Changes in this PR

• add timelock guard for registry changes (2 days)
• setIdentityRegistry(new) now schedules pending update
• add executeIdentityRegistryUpdate()
• add cancelIdentityRegistryUpdate()
• add errors/events/state for pending update visibility
• add security write-up with exploit/repro and migration:
  • docs/security/03-admin-single-key-and-instant-registry-switch.md

How to verify / exploit (old behavior)

1. With admin permissions, deploy malicious registry.
2. Call old setIdentityRegistry(malicious).
3. Registry switch happens instantly and policy source is compromised.

Remediation / migration steps

1. Deploy new CLPc version from this PR.
2. Re-grant roles to expected operators/program contracts.
3. Update integrations to new token address.
4. Recommended: move admin to multisig for additional protection.