support age plugin identities for hardware-backed keys

[iicky]

• add plugin and cli-common features to the age dep so murk can dispatch to external age-plugin-<name> binaries
• extend MurkRecipient with a Plugin variant and MurkIdentity with a Plugin { identity, pubkey } variant that stores the recipient pubkey alongside the opaque plugin pointer
• parse_identity now accepts three shapes: a bare age key, an SSH PEM key, or an age identity file with a # public key: age1... header above an AGE-PLUGIN-<NAME>-1... pointer
• parse_recipient accepts plugin recipients like age1yubikey1...
• encrypt groups plugin recipients by plugin name and wraps each group in RecipientPluginV1 so encryption to mixed native + plugin recipients just works
• decrypt constructs IdentityPluginV1 on the fly for plugin identities; dispatches to the plugin via UiCallbacks for touch / PIN prompts
• env::resolve_key_with_source no longer trims file contents so multi-line plugin identity files round-trip through parse_identity
• recovery::phrase_from_key and cmd_recover error clearly on plugin identities with an explanation: BIP39 encodes raw key bytes, hardware-backed keys have none to encode, backup strategy is a second enrolled device as recipient
• MurkIdentity::Debug redacts key material so accidental logs do not leak secrets
• fix deadlock in env::tests::resolve_key_does_not_read_dotenv: it was acquiring CWD_LOCK before ENV_LOCK while every other test uses the opposite order, causing intermittent hangs under parallel test scheduling
• README: new Hardware identities section with plugin table (YubiKey, Secure Enclave, FIDO2, OpenPGP Card) and full YubiKey setup example
• SPEC: env var table updated to reflect the three identity-file shapes; new Hardware-backed identities subsection documenting the file format and MURK_KEY vs MURK_KEY_FILE trade-off