flag secrets that still need rotating after a revoke

[iicky]

• add SchemaEntry.revoked_at, stamped on exposed keys when circle revoke defers rotation, cleared on any value write
• flag it via doctor (RotationIssue::RevokePending) until the value is rotated, so the obligation survives declining the prompt and shows without a key
• cover the marker with a new v9 MAC (blake3v7:), written only when a revoked_at exists and rejected under older prefixes so it can't be cleared by downgrading the MAC
• document the field and v9 scheme in SPEC.md and THREAT_MODEL.md

[codecov]

Codecov Report

❌ Patch coverage is 98.63014% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.65%. Comparing base (fbe9bc9) to head (a70572f).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/lib.rs	97.75%	1 Missing and 1 partial ⚠️

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.