feat: Decouple Key provider Architecture #83
Description
The current Signer struct fundamentally requires PrivateKey in memory. This makes it impossible
to support:
• HSMs (keys never leave hardware — only sign() calls travel over the wire)
• Cloud KMS (AWS KMS, GCP KMS, Azure Key Vault — private key never exists locally)
• Android Keystore / Secure Enclave (keys bound to hardware TEE/StrongBox)
The abstraction must be signing capability, not seed storage. A standalone crate should define this
interface with zero dependency on keriox.