runtime: enforce persistent signer identity and deterministic kid

[GsCommand]

Motivation

• DEV_AUTO_KEYS generated ephemeral keys per restart which rotated kid and prevented persistent ENS TXT verification.
• The runtime must support stable signer identity via environment configuration so receipts can be verified long-term against ENS records.
• Enforce canonicalization and key invariants (Ed25519 + matching keypair) to avoid subtle verification mismatches.

Description

• Add persistent signer boot validation: requirePersistentSignerInvariantsOrThrow enforces json.sorted_keys.v1 canonicalization and a non-empty RECEIPT_SIGNER_ID when not in dev mode.
• Add a runtime keypair consistency check assertKeypairMatches(privatePem, publicPem) to reject mismatched private/public material at startup.
• Preserve DEV_AUTO_KEYS for local development but make logs explicitly show DEV MODE vs PERSISTENT SIGNER MODE and print a signer summary including signer_id, canonicalization, kid, and key fingerprint.
• Add scripts/print-ens-records.mjs to produce the TXT values (cl.sig.pub, cl.sig.kid, cl.sig.canonical, cl.receipt.signer) from the configured public key and RECEIPT_SIGNER_ID.
• Tests updated/added in runtime/tests/runtime-signing.test.mjs to cover stable kid across restarts, mismatched key rejection, and missing signer id rejection while keeping DEV_AUTO_KEYS behavior intact.

Testing

• Ran npm install, npm run check, npm test, and npm run ci with all automated tests passing (53 tests, 0 failures).
• Unit and integration smoke tests exercised signing, /health, /verify, full request chains, and the new boot failure cases; all succeeded.
• Executed scripts/print-ens-records.mjs with generated keys to verify output of cl.sig.pub, cl.sig.kid, cl.sig.canonical, and cl.receipt.signer and observed correct values printed.

---

Codex Task