spec: add identity.yaml — cryptographic agent identity (Ed25519)

[vystartasv]

Closes #70

What

Adds an optional identity.yaml file convention for verifiable agent identity via Ed25519 keypairs.

Changes

• spec/schemas/identity.schema.json — JSON Schema for identity.yaml (new)
• spec/SPECIFICATION.md — Section 3a added with field spec, example, and runtime semantics
• Directory structure — identity.yaml listed as optional file in agent repos

Schema (subset)

identity_version: "1.0.0-draft"
agent_id: "loan-reviewer"
public_key: "ed25519:BASE64"
key_fingerprint: "sha256:HEX"
passport_uri: "https://..."   # optional richer identity doc
did: "did:wwa:..."              # optional W3C DID
created_at: "2026-05-06T14:30:00Z"
hardware_binding: { type: tpm, attestation: ... }  # optional
owner: { name, email, proof }                        # optional

Alignment with #70

#70 proposed Ed25519 key binding + passport_uri + key_fingerprint. This PR implements all three plus optional DID, hardware binding, and owner identity from the reference standard.

Reference Standard

The schema implements the Works With Agents Identity Protocol (v1.0.0-draft, CC BY 4.0). All identity.yaml fields map 1:1 to the Identity Protocol — gitagent identity.yaml is a compatible subset.

Design decisions

• Separate file, not agent.yaml section — identity has its own lifecycle (rotation, revocation) independent of the manifest. Keeps agent.yaml clean.
• Fully optional — no breaking changes. Agents without identity.yaml work as before.
• Ed25519 — the proposal's suggested algorithm. Wide library support, compact signatures.

Tested

Schema validates against JSON Schema draft 2020-12. Manual test: identity.yaml conforms to identity.schema.json.