feat: hulak env rotate-key — identity rotation (#146)

[xaaha]

Summary

• Add hulak env rotate-key (alias: rotate-identity) — generates new age keypair, swaps in recipients.txt, re-encrypts store, backs up old key to identity.txt.old
• Add import-identity / export-identity aliases for consistency
• Identity-first write order for crash recovery: backup → new identity → store.age → recipients.txt
• Interrupted rotation detection: re-running rotate-key after a crash resumes from where it left off
• Refuses to run when HULAK_MASTER_KEY is set (directs user to import-key first)

Files changed

File	What
pkg/vault/keys.go	IdentityOldPath, BackupIdentity, LoadIdentityOld
pkg/vault/recipients.go	SwapRecipientKey
pkg/userFlags/env_rotate_key.go	runRotateKey + helpers (new)
pkg/userFlags/env_rotate_key_test.go	8 integration tests (new)
pkg/userFlags/subcommands.go	Command registration + aliases

Test plan

• Single-recipient happy path — new key decrypts, old key doesn't
• Multi-recipient — teammate's key and name untouched after rotation
• Refuses when HULAK_MASTER_KEY set — error mentions import-key
• Refuses extra arguments
• Store data preserved after rotation (strings, numbers)
• identity.txt.old overwritten on second rotation
• Interrupted rotation recovery — crash after identity write, re-run completes
• Both keys dead — error when neither identity nor .old can decrypt
• mise check passes (lint + all tests)

Closes #146