feat(phase-3): workstream 2 — W3C DIDs

Implements W3C DID Core 1.0 per-agent identity for every registered agent:

Schema:
- agent_did_keys table: stores EC P-256 public key JWK + Vault path for private key
- agents.did + agents.did_created_at columns

Key management:
- EC P-256 key pair generated on every agent registration via Node.js crypto
- Private key stored in Vault KV v2 (dev:no-vault marker when Vault not configured)
- Public key JWK stored in PostgreSQL agent_did_keys table

API (4 new endpoints):
- GET /.well-known/did.json — instance DID Document (public, cached)
- GET /api/v1/agents/:id/did — per-agent DID Document (public, 410 for decommissioned)
- GET /api/v1/agents/:id/did/resolve — W3C DID Resolution result (agents:read scope)
- GET /api/v1/agents/:id/did/card — AGNTCY agent card (public)

Implementation:
- DIDService: DID construction, key generation, Redis caching (TTL configurable)
- DIDController: 410 Gone for decommissioned agents, correct Content-Type on resolve
- AgentService: calls DIDService.generateDIDForAgent on every new registration

Tests: 429 passing, DIDService 98.93% coverage, private key absence verified in all responses

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/repositories/AgentRepository.ts

@@ -26,6 +26,10 @@ interface AgentRow {
   status: string;
   created_at: Date;
   updated_at: Date;
+  /** W3C DID identifier — populated after DID generation (Phase 3). */
+  did: string | null;
+  /** Timestamp when the DID was generated (Phase 3). */
+  did_created_at: Date | null;
 }
 
 /**
@@ -47,6 +51,8 @@ function mapRowToAgent(row: AgentRow): IAgent {
     status: row.status as AgentStatus,
     createdAt: row.created_at,
     updatedAt: row.updated_at,
+    did: row.did ?? undefined,
+    didCreatedAt: row.did_created_at ?? undefined,
   };
 }