identity+crypto: atomic 0600 key file and zeroize secrets on drop

[intendednull]

Closes #126
Closes #127
Progresses #108

Summary

Hardens on-disk identity storage and in-memory secret handling for Willow's identity / crypto layers.

Issue #126 — atomic key file write, 0600 perms, perm validation

• Identity::load_or_generate now writes the key file atomically: opens a sibling temp file with O_CREAT|O_EXCL and (on Unix) mode 0o600, writes via with_secret_bytes so the buffer is zeroized, fsyncs, and renames into place. A crash mid-write can no longer leave a half-written or world-readable key on disk.
• On load, the file mode is checked on Unix; any group/other access (anything matching mode & 0o077 != 0) is rejected with a new IdentityError::InsecurePermissions { path, mode } variant rather than silently using a leaked key.
• All filesystem code stays under #[cfg(not(target_arch = "wasm32"))]; Unix-only bits sit under #[cfg(unix)] so Windows and WASM still build.
• OpenOptions::new().write(true).create_new(true) (plus a sibling .<file>.tmp.<pid>.<nanos> name) catches the concurrent-startup race the issue called out.

Issue #127 — zeroize SecretKey and ChannelKey on drop

• ChannelKey derives ZeroizeOnDrop (#[zeroize] pub(crate) [u8; 32]). Public API (as_bytes, from_bytes, the pub(crate) field) is unchanged, so willow-channel / willow-state / willow-client consumers don't need updates.
• iroh_base::SecretKey already derives zeroize::ZeroizeOnDrop internally (verified by reading iroh-base-0.97.0/src/key.rs:235), so Identity derives ZeroizeOnDrop with #[zeroize(skip)] on the secret_key field. The derive is kept for the type-level guarantee that's enforced by the new compile-time _is_zeroize_on_drop tests — if the inner representation ever changes to a non-zeroizing type, the build will fail.
• New Identity::with_secret_bytes(|bytes| ...) callback API that exposes the raw 32-byte secret only inside the closure and zeroizes the buffer on the way out. atomic_write_key uses this to avoid leaking the key bytes through a heap-allocated Vec<u8>.
• Identity::to_bytes is marked #[must_use] with a doc comment urging callers to either zeroize the returned Vec<u8> or prefer with_secret_bytes. Existing call sites in crates/agent and crates/client are out-of-scope for this PR (per the task guardrails) and are unaffected because must_use only fires on truly-unused returns.

Scope guardrails respected

• Only crates/identity/, crates/crypto/ (just ChannelKey + workspace dep wiring), and the workspace Cargo.toml are touched.
• The on-disk key file format is unchanged (still raw 32 Ed25519 bytes).
• The wire format is unchanged.
• The ratchet / HKDF code from PR Add ratchet counter DoS protection and RotateChannelKey authorization #134 is untouched.

Test Plan

• cargo test -p willow-identity — 20 tests pass, including:
  • load_or_generate_creates_file_with_0600_on_unix (gated #[cfg(unix)])
  • load_existing_with_loose_perms_returns_insecure_permissions (gated #[cfg(unix)])
  • load_existing_with_secure_perms_succeeds
  • load_or_generate_persists_identity (round-trip)
  • identity_is_zeroize_on_drop (compile-time assertion)
  • with_secret_bytes_exposes_full_secret
• cargo test -p willow-crypto — 31 tests pass, including the new channel_key_is_zeroize_on_drop compile-time assertion.
• cargo clippy --workspace -- -D warnings — clean.
• cargo fmt --check — clean.
• cargo check --target wasm32-unknown-unknown for the standard library set — clean.
• Workspace tests pass for willow-identity, willow-crypto, willow-channel, willow-client, willow-state, willow-worker (worker's load_or_generate_* tests still pass against the new error path).

Note: three pre-existing flakes in willow-actor (send_dead_actor_returns_send_error, ask_dead_actor_returns_closed, recipient_dead_actor) intermittently race when the workspace is run under heavy parallelism. They pass in isolation and reproduce on origin/main without these changes — unrelated to this PR.