feat: DRS export-bundle — exportable evidence bundles for auditors and operators

[OkeyAmy]

Problem

Auditors and compliance officers need to extract delegation chain evidence from DRS for external review (regulatory audits, incident investigations, legal proceedings). There is currently no standardized export format or tooling for producing self-contained evidence bundles.

Proposed Solution

Build a drs export-bundle CLI command that produces a self-contained evidence package from a stored delegation chain.

Acceptance Criteria

• CLI command: drs export-bundle --chain-hash <hash> — exports a complete evidence package
• Export includes: all JWTs in the chain, decoded payloads, verification result, RFC 3161 timestamps (if present), chain visualization
• Output formats: JSON (machine-readable), PDF (human-readable report), ZIP archive (both)
• JSON export includes enough information to re-verify the chain independently
• Tests cover: export format structure, handling of chains with/without timestamps, handling of revoked chains
• No hardcoded DIDs, keys, or hashes in tests

Relevant Files

• drs-verify/pkg/store/store.go — store interface for retrieving receipts
• drs-verify/pkg/anchor/rfc3161.go — timestamp token retrieval
• drs-sdk/src/cli/ — CLI infrastructure
• fixtures/conformance/receipts/full-chain-bundle.json — test input

Implementation Notes

Start with JSON export only. PDF generation and ZIP packaging can be follow-ups. The JSON format should be stable and versioned so external tools can parse it reliably. Include a format_version field in the output.