keymaster: sign challenge (UTF-8), genesis note, session vault sync

[Undline]

Add GET/POST /identities/{id}/sign: paste challenge text, sign UTF-8 bytes with Ed25519, show hex and copy. New profile_sign template, link from profile detail, textarea styles, and a compact genesis tracking strip below the header row (keeps theme toggle on the same line as the nav dock).

Introduce sign_challenge_utf8 with a size cap; document the route in README.

replace_session_vault now updates every in-memory session after a disk write so additional tabs see new identities; only the requesting session gets touch() for idle timing.

Tests: sign round-trip and HTTP flow; session vault sync across two session ids.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a371ad4fb4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Normalize textarea newlines before signing payload

For multi-line challenges submitted through the browser form, <textarea> values are normalized to CRLF line endings on submit, and this handler signs the resulting challenge string as-is. That means a challenge whose canonical bytes use LF can produce a different signature here and fail verification in Core. This issue is input-dependent (multi-line payloads) but directly affects signature correctness; normalize line endings to the agreed canonical form before calling sign_challenge_utf8.

Useful? React with 👍 / 👎.