[BOUNTY] TOFU Key Revocation and Rotation — 15 RTC (focused)

[dannamax]

Fixes #308

This PR implements a focused TOFU (Trust-On-First-Use) key management system for RustChain attestation with:

✅ Core Features Only:

• Admin endpoint to revoke compromised keys (POST /admin/tofu/revoke)
• Agent endpoint to rotate their own keys (POST /tofu/rotate)
• Revoked keys immediately rejected on all endpoints
• Rotation creates audit trail (old key → new key, timestamp)
• Storage extends existing nonce/TOFU SQLite storage

✅ Focused Implementation:

• ONLY adds TOFU tables, validation functions, and HTTP endpoints
• NO unrelated features or modifications
• NO import of nonexistent modules
• Clean merge against main branch

✅ Security & Quality:

• Proper admin authentication for revocation endpoint
• Ed25519 signature verification with pynacl
• Comprehensive error handling and validation
• Full test coverage included

This is a focused resubmission of PR #386 based on maintainer feedback. All scope creep issues have been addressed.

---

Testing: All unit tests pass. Implementation follows BS2.0 quality principles.

[Scottcjn]

Closing as duplicate of PR #395 (same bounty, same author).