feat: add request signing support (bot-auth)

[chaliy]

Summary

The toolkit library contract now requires HTTP-capable kits to support Ed25519 request signing per RFC 9421 / web-bot-auth profile (section 9). bashkit does not currently make outbound HTTP requests, so this is not immediately required — but if bashkit ever adds HTTP capabilities (e.g. fetching scripts, webhook callbacks), it must implement the signing contract.

What changed

everruns/everruns#1183 added section 9 to the toolkit library contract spec:

• Feature-gated bot-auth cargo feature
• BotAuthConfig on ToolBuilder (signing key seed, optional agent FQDN, validity window)
• Ed25519 signing of all outbound HTTP requests (Signature, Signature-Input, Signature-Agent headers)
• Non-blocking: signing failures must not block requests
• derive_bot_auth_public_key() for consumer key directory serving
• JWK Thumbprint (RFC 7638) as key identity

Action required

• If bashkit gains HTTP capabilities: implement the bot-auth contract per the spec, following fetchkit's reference implementation
• If bashkit stays non-HTTP: no action needed — the spec explicitly exempts non-HTTP kits

References

• Toolkit library contract §9 — the new requirement
• fetchkit bot-auth spec — reference implementation details
• Request signing docs — user-facing guide
• RFC 9421 (HTTP Message Signatures), draft-meunier-web-bot-auth-architecture