feat(identity): add sign and verify subcommands

[geekgonecrazy]

Adds two subcommands under atomic identity for signing and verifying arbitrary bytes using an identity's Ed25519 keypair.

atomic identity sign

Reads raw bytes from stdin, signs them with the identity's Ed25519 secret key, and prints a JSON object:

{
  "signature": "<base64-encoded Ed25519 signature>",
  "public_key": "<base32-encoded public key>",
  "identity": "alice-work",
  "alg": "ed25519"
}

--identity <name> selects a non-default identity. Omitting it uses the current default (whoami).

# Sign a file with the default identity
atomic identity sign < release.tar.gz

# Sign with a named identity
echo -n "hello world" | atomic identity sign --identity alice-work

atomic identity verify

Reads raw bytes from stdin and verifies a signature against a public key. Exits 0 if valid, 1 if invalid.

atomic identity verify \
  --signature <base64-sig> \
  --public-key <base32-key> \
  < release.tar.gz

The --public-key flag takes the base32 public key from a sign output. The --signature flag takes the base64 signature field.

Test plan

• atomic identity sign produces valid JSON with all four fields
• Output of sign pipes directly into verify and exits 0
• verify exits 1 when the payload is tampered
• verify exits 1 when the wrong public key is supplied
• sign --identity <name> uses the specified identity, not the default
• sign with no default identity set returns a helpful error message