feat(proof): add agent_identity_verified flag

[desiorac]

Summary

• Add optional bool field parties.agent_identity_verified — true when agent_identity is a cryptographically verified DID bound to the API key via Ed25519 challenge-response. Absent when self-declared.
• Aligns implementation with proof-spec v2.1.2 (published today).
• Zero breaking change: existing proofs without DID binding are unaffected.

Motivation

The parties.agent_identity field could contain either a verified DID or a self-declared string — indistinguishable without internal knowledge. This flag lets downstream systems (e.g. entity verification modules) tell the two apart without parsing the value.

Changes

• trust_layer/proofs.py: new agent_identity_verified param in generate_proof() and exposed in get_public_proof()
• trust_layer/proxy.py: set agent_identity_verified=True when verified_did override is applied
• tests/test_identity.py: new test_proof_with_verified_did, asserts flag absent on self-declared identity

Test plan

• pytest tests/ --ignore=tests/test_email_pipeline_v3.py — 427 passed
• Deploy via ./scripts/deploy_trust_layer_prod.sh
• Verify proof with DID binding → agent_identity_verified: true
• Verify proof without binding → agent_identity_verified absent

🤖 Generated with Claude Code

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 9f3d456.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None