feat(identity-wallet): P-256 device key via Secure Enclave #40

Summary#

Adds device_key.rs with compile-time #[cfg] dispatch: macOS/Simulator uses a software P-256 keypair (via crypto crate + Keychain), real iOS device uses the Secure Enclave via security_framework 3.x
Wires device_key::get_or_create() into create_account so the relay receives the SE-backed public key instead of an ephemeral software keypair
Exposes get_or_create_device_key and sign_with_device_key as Tauri IPC commands with typed TypeScript wrappers in ipc.ts

cfg deviation: uses any(target_os = "macos", all(target_os = "ios", target_env = "sim")) for the software path so cargo test exercises real code on macOS host (the design's target_env = "sim" predicate doesn't match macOS where target_env = "").
Low-S normalization: SE signatures are normalized via normalize_s() for ATProto/did:plc compatibility; the simulator path uses RFC 6979 which produces low-S natively.
Safe wrapper over raw FFI: uses security_framework 3.x safe API instead of raw security-framework-sys — same functionality, no unsafe blocks.

cargo test -p identity-wallet -- --test-threads=1 — 22 tests pass (8 device_key + 14 lib)
Manual simulator verification per docs/test-plans/2026-03-18-MM-145.md (key generation, signing, IPC round-trip)
Manual physical device verification: SE persistence across cold restart (AC2.1), private key non-extractable (AC2.2)