feat: DRS audit explorer — CLI command and web UI for chain inspection

[OkeyAmy]

Problem

DRS has strong verification and storage layers, but no user-facing tool for inspecting stored delegation chains. Operators and auditors cannot easily browse, search, or understand the delegation history without reading raw JWT strings.

Proposed Solution

Build an audit explorer with two interfaces:

1. CLI command (drs audit explore) — queries the verification server's store and displays chain details in a human-readable format
2. Web UI (optional, served by drs-verify) — a minimal single-page interface for browsing stored chains

Acceptance Criteria

• CLI command that queries stored receipts and displays chain details (issuer, subject, audience, policy, timestamps)
• Supports filtering by: root principal DID, time range, command path
• Displays chain structure (root → sub → ... → invocation) with visual indentation
• Output formats: human-readable (default), JSON (for piping)
• Tests cover: formatting logic, filter matching, empty results handling
• No hardcoded DIDs or timestamps in tests

Relevant Files

• drs-sdk/src/cli/commands/audit.ts — existing audit CLI command to extend
• drs-verify/pkg/store/store.go — store interface for reading receipts
• drs-verify/cmd/server/main.go — server to add optional web endpoint

Implementation Notes

Start with the CLI command. The web UI can be a follow-up. The CLI should work against any drs-verify instance via HTTP.