Add verified-badge client layer: daemon, IPC, pilotctl

[TeoSlayer]

Completes the client layer for verified-address badges + identity-based node recovery. All optional — unverified nodes are unaffected.

Daemon (pkg/daemon/ipc.go)

• New IPC commands CmdSubmitBadge (0x2F/0x30) and CmdEnrollRecovery (0x31/0x32), matching common/driver.
• handleSubmitBadge: signs submit_badge:<node_id>:<badge> with the current key (proof of ownership) and forwards the verifier-produced badge + signature to the registry.
• handleEnrollRecovery: parses the enrollment, signs enroll_recovery:<node_id>:<commitment>, forwards. The raw external identity never reaches the daemon — only the opaque commitment.

pilotctl (cmd/pilotctl/verify.go)

• pilotctl verify --badge <b> --badge-sig <s> (or --from cred.json) — submit a badge via the daemon.
• pilotctl recovery enroll --enrollment <e> --enrollment-sig <s> — enroll a recovery commitment.
• pilotctl recovery new-key [--out <path>] — generate the replacement keypair and print its public key for cold-signing.
• pilotctl recovery recover --node <addr|id> --new-key <path> --recovery <auth> --recovery-sig <sig> — keyless force-rotate via a cold-key-signed authorization, talking directly to the registry (the daemon's key is, by definition, lost). Installs the new identity on success.

Bumps

• common → v0.5.2 (driver SubmitBadge/EnrollRecovery + registry-client methods).

Tests

• Daemon handler tests cryptographically verify the node-ownership signature over the canonical challenge; bad-payload / missing-field / no-identity / unparseable-enrollment all return errors.
• pilotctl tests drive verify + recovery enroll against a fake daemon, and prove recovery new-key produces a loadable identity whose public key matches the printed one.
• go test -race green on both packages; gofmt + vet clean.