[CLI-006] Implement ori deploy keypair generation and cloud registration

[AdeGneus]

Context

Deploy bootstrap must generate device identity on-device and only register public material with cloud.

Scope

• Add ori deploy command.
• Generate Ed25519 keypair locally.
• Store private key with restrictive permissions.
• Register public key/device metadata with cloud when configured.

Non-Goals

• Does not upload private keys.
• Does not require cloud for local-only dry run.

Technical Specification

Private key is generated and stored locally; public key is sent to cloud registration API only after explicit operator confirmation or noninteractive flag.

Acceptance Criteria

• Private key never appears in HTTP payload/logs.
• File permissions are restrictive.
• Dry run works without network.
• go test ./... passes.

Tests Required

Test	Verifies
TestDeployGeneratesKeypairLocally	Local key generation.
TestDeployNeverSendsPrivateKey	Payload safety.
TestDeployDryRun	No network path.

Additional Test Coverage / Edge Cases

• Private key file permissions must be restrictive and tested on supported platforms.
• Dry-run must perform zero network calls and create no persistent credentials unless explicitly requested.
• Registration payload must never include private key bytes or raw secrets.
• Existing device key behavior must be explicit: refuse overwrite or require force flag.
• Interrupted deploy must leave either no credentials or a consistent resumable state.

Invariants — Do Not Violate

• Deploy keypairs are generated on-device; private key never leaves device.

Dependencies

Blocked by:

• Nothing

Unblocks:

• [CLI-007] Implement token generate/list/revoke cloud API commands #9 — CLI-007 Implement token generate/list/revoke cloud API commands

Contract References

• CLI deploy reference
• Cloud device registration contract

Priority

post-poc

Suggested Labels

ready, post-poc, security-sensitive