support age plugin identities for hardware-backed keys

[iicky]

• add plugin and cli-common features to the age dep so murk can dispatch to external age-plugin-<name> binaries
• extend MurkRecipient with a Plugin variant and MurkIdentity with a Plugin { identity, pubkey } variant that stores the recipient pubkey alongside the opaque plugin pointer
• parse_identity now accepts three shapes: a bare age key, an SSH PEM key, or an age identity file with a # public key: age1... header above an AGE-PLUGIN-<NAME>-1... pointer
• parse_recipient accepts plugin recipients like age1yubikey1...
• encrypt groups plugin recipients by plugin name and wraps each group in RecipientPluginV1 so encryption to mixed native + plugin recipients just works
• decrypt constructs IdentityPluginV1 on the fly for plugin identities; dispatches to the plugin via UiCallbacks for touch / PIN prompts
• env::resolve_key_with_source no longer trims file contents so multi-line plugin identity files round-trip through parse_identity
• recovery::phrase_from_key and cmd_recover error clearly on plugin identities with an explanation: BIP39 encodes raw key bytes, hardware-backed keys have none to encode, backup strategy is a second enrolled device as recipient
• MurkIdentity::Debug redacts key material so accidental logs do not leak secrets
• fix deadlock in env::tests::resolve_key_does_not_read_dotenv: it was acquiring CWD_LOCK before ENV_LOCK while every other test uses the opposite order, causing intermittent hangs under parallel test scheduling
• README: new Hardware identities section with plugin table (YubiKey, Secure Enclave, FIDO2, OpenPGP Card) and full YubiKey setup example
• SPEC: env var table updated to reflect the three identity-file shapes; new Hardware-backed identities subsection documenting the file format and MURK_KEY vs MURK_KEY_FILE trade-off

[codecov]

Codecov Report

❌ Patch coverage is 65.89595% with 59 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.46%. Comparing base (b6d5e7a) to head (654a3ec).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/crypto.rs	69.33%	41 Missing and 5 partials ⚠️
src/recovery.rs	36.36%	7 Missing ⚠️
src/main.rs	57.14%	3 Missing ⚠️
src/env.rs	50.00%	1 Missing and 1 partial ⚠️
src/github.rs	0.00%	1 Missing ⚠️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.