Slice 10: jotsmith key rotate (snap-cutover)

[MaxAnderson95]

What to build

Implement jotsmith key rotate [--yes] per PRD §6.5 — snap-cutover rotation. Create a new KV key version, recompute the JWK + thumbprint kid, replace the JWKS in storage with a single-entry array of the new key, optionally refresh the discovery doc, and print the before/after kid to stderr.

Snap-cutover by design (ADR-0005). Tokens minted under the prior key stop verifying the instant rotation completes. No overlap window in v1.

Acceptance criteria

• Creates a new KV key version under the same key name (does not change the key name)
• Recomputes the JWK + RFC 7638 thumbprint kid
• Replaces JWKS in storage with a single-entry array of the new key (snap-cutover; the prior kid disappears immediately)
• Refreshes the discovery doc only if its rendered bytes changed (no spurious uploads)
• Prints before/after kid to stderr; nothing on stdout
• Confirmation prompt unless --yes; prompt only appears on a TTY, and the command errors out cleanly when stdin isn't a TTY and --yes is absent
• Documented in --help that prior-key tokens stop verifying the instant rotation completes
• Failure mode if KV version is created but JWKS upload fails: command fails non-zero; subsequent doctor flags the drift (this is verified by a test that mocks an upload failure)
• Integration test behind //go:build integration mints under the original key, rotates, asserts the original token now fails to verify

Blocked by

• Slice 6: jotsmith setup #6 — setup

Originally created in OpenCode session ID: ses_17ca8efd8ffexLcFSysAMDVNBQ

[MaxAnderson95]

Implemented and merged in #14.

Originally created in OpenCode session ID: ses_17c986ef9ffeHc0S3r1wQcmLDT