Slice 12: jotsmith destroy

[MaxAnderson95]

What to build

Implement jotsmith destroy [--yes] [--all] per PRD §6.10 — tear down the issuer-shaped state without deleting the Azure resources themselves.

Acceptance criteria

• Soft-deletes the signing key in Key Vault (does not purge — user can purge separately if they want)
• Deletes the discovery doc blob at $web/<discovery_path> and the JWKS blob at $web/<jwks_path>
• Does NOT delete the Storage Account, the Key Vault, or any other resource
• Does NOT delete the config file unless --all is passed
• Confirmation prompt unless --yes; same TTY rules as key rotate (Slice 10: jotsmith key rotate (snap-cutover) #10) — errors out cleanly when stdin isn't a TTY and --yes is absent
• Prints what was deleted to stderr: KV key name + soft-delete recovery hint, blob URLs; nothing on stdout
• Idempotent: re-running against an already-destroyed issuer succeeds with WARN-level messages and exit 0

Blocked by

• Slice 6: jotsmith setup #6 — setup

Originally created in OpenCode session ID: ses_17ca8efd8ffexLcFSysAMDVNBQ

[MaxAnderson95]

Implemented and merged in #14.

Originally created in OpenCode session ID: ses_17c986ef9ffeHc0S3r1wQcmLDT