feat: agentdiff keys rotate command

[codeprakhar25]

What

Implement agentdiff keys rotate — generate a new ed25519 keypair, archive the old one, and optionally re-sign recent traces.

Why

keys.rs already references this command in its error message: "Use 'agentdiff keys rotate' to rotate", but only Keys::Init is implemented. Rotating a compromised key currently means manually deleting ~/.agentdiff/keys/private.key and re-running init — no audit trail, no re-signing. This is a blocker for any enterprise security review.

How

• Add Rotate variant to KeysAction enum in cli.rs
• generate_keypair_to(new_path) → store old key in ~/.agentdiff/keys/archive/ with expiry timestamps
• Register new public key in key registry (refs/agentdiff/meta:keys/)
• agentdiff verify should check against all non-expired keys in archive
• Optionally: re-sign last N traces after rotation

Effort

~1 hour. Depends on key registry implementation (refs/agentdiff/meta:keys/).