Verification: resolve commit signers via KERI delegation (replace allowed_signers)

[bordumb]

Commit verification still trusts .auths/allowed_signers (generated from attestations). Rewrite it to resolve a signer's device KEL → root-anchored delegation (validate_delegation) minus revocation, i.e. trust derived from KEL replay. This is roadmap Epic B; it's also the real fix for the T1 boundary (today device remove revokes the delegation but doesn't yet drop allowed_signers authority). See docs/architecture/device-model.md / docs/architecture/keri-only-roadmap.md.

[bordumb]

Done in Epic B (fn-145).

auths verify is now KEL-native: it reads the in-band Auths-Id + Auths-Device did:keri: trailers (written by auths sign), resolves the signer's device KEL and the root KEL from the registry, and decides trust by replay — validate_delegation against the root, not revoked, signing key is current — verifying the SSH signature in-process. No ssh-keygen, no allowed_signers allowlist (dropped entirely, Option B). Trust roots are the committed .auths/roots pin.

Verified end-to-end (init -> git commit -> auths sign HEAD -> auths verify HEAD => valid, signer = did:keri, with no allowlist present) and the full workspace test suite is green.

Deferred follow-ons tracked separately: #205 (signing-time/anchored verification), #206 (artifact-path verify), #207 (kt>1 multi-key devices), #208 (remote/OOB KEL resolution), #209 (opt-in allowed_signers export for native git interop).