feat: govern identity approval application and rollback

[safal207]

Implements #632.

Adds a fully separated, immutable identity governance lifecycle:

proposal -> approval -> patch -> durable commit -> profile activation -> optional rollback.

Core guarantees:

• the proposing agent cannot approve its own identity change;
• APPROVE, REJECT, EXPIRE, and INVALIDATE are explicit decisions;
• approval is bound to the exact proposal digest;
• new contradictory verified evidence invalidates an approved window;
• rejected, expired, invalidated, or mismatched proposals cannot create a patch;
• patch commit is required before activation;
• activation creates profile v2 and preserves profile v1;
• rollback creates profile v3 and never deletes history;
• replay cannot reapply an existing application;
• proposal, approval, patch, commit, application, profile snapshots, and rollback are separate contracts.

Includes JSON Schemas, a governance CLI, focused tests, and end-to-end generation from real Verified Episodes and IdentityUpdateProposal output.

Stack: #623 -> #626 -> #628 -> #629 -> #631 -> #633.

CI is green on Python 3.9 and 3.11, including Ruff, governance tests, end-to-end proposal generation, approval, commit-before-activation, profile version-chain validation, rollback, schemas, and Semgrep.

Evidence artifact: identity-governance-evidence.
SHA-256: 299855d8a6489821d165332619dd725f16f2b31d710cae4bc300c953dc953fd0.