feat: add key autorotate policy

[Manuthor]

Key Auto-Rotation (Scheduled / Policy-Driven)

• KMIP link chain: ReKey links old and new keys via ReplacementObjectLink / ReplacedObjectLink (#859).
• Auto-rotation background task: run_auto_rotation() scans all objects due for rotation and rotates them automatically; supports SymmetricKey (ReKey), Certificate (Certify upsert), and PrivateKey/PublicKey (RSA/EC/PQC key pairs).
• Policy inheritance: new key inherits rotate_interval, rotate_name, rotate_offset from the old key; old key gets rotate_interval = 0 to prevent re-rotation.
• Rotation lineage in key names: user-defined UIDs produce "toto_<uuid>" children; UUID suffix stripped on subsequent rotations.
• Certificate renewal: creates entirely new objects (cert + key pair) with ReplacementObjectLink/ReplacedObjectLink; serial number mixed with timestamp to guarantee unique DER bytes per RFC 5280.
• CLI: sym keys set-rotation-policy sub-command; --rotate-interval/--rotate-name/--rotate-offset flags on all create commands; re-key sub-commands for RSA, EC, PQC.
• Web UI: Re-Key pages for all key types; Auto Rotation Policy panel in all Create and Certificate Certify forms; inline Auto-Rotate button in the Locate table.
• Server flag: --auto-rotation-check-interval-secs to configure the background cron interval.

Renewal Notification System

• NotificationsStore trait: backed by SQLite, PostgreSQL, MySQL (notifications table); Redis uses a no-op store.
• dispatch_renewal_warnings: scans objects approaching rotation deadline, creates DB notifications, and sends e-mails via optional SMTP notifier (no feature flag — controlled by KMS_SMTP_HOST).
• HTTP routes: GET /api/notifications, GET /api/notifications/count-unread, POST /api/notifications/{id}/read, POST /api/notifications/read-all.
• Web UI: NotificationBell in header with live unread badge and inline Popover; full list at /notifications.
• Security: SmtpConfig::Debug redacts the SMTP password with <redacted>.

PQC X.509 Certificate Generation

• Server: Certify now supports ML-DSA-44/65/87 and all SLH-DSA variants (SHA2/SHAKE × 128s/f, 192s/f, 256s/f) as subject key algorithms and issuer signing keys (non-FIPS only); digest selection fixed to use the issuer's key type, mapping EdDSA/ML-DSA/SLH-DSA to MessageDigest::null().
• CLI: Algorithm enum in certificate_utils extended with all ML-DSA, SLH-DSA, and ML-KEM/hybrid-KEM variants; KEM self-signed certificates are rejected by the server with a clear error.
• Web UI / WASM: get_certificate_algorithms() exposes all ML-DSA, SLH-DSA, and ML-KEM options in the Generate New Keypair dropdown; data-testid="cert-algorithm-select" added to the algorithm <Select> for E2E testability.
• E2E Playwright: new certificates-certify.spec.ts with 27 tests covering all four certification methods (generate key pair, existing public key, re-certify, CA-issued) and every supported algorithm; PQC tests auto-skipped in FIPS mode.

Multi-HSM Support

• [[hsm_instances]] TOML config: unlimited simultaneous HSM instances; prefix-based routing (hsm, hsm1, hsm2, …).
• GET /hsm/status endpoint: JSON array of all connected HSM instances with per-slot accessibility.
• Web UI: Objects → HSM Status page; Locate.tsx prefix regex updated to /^hsm[0-9]*::/.

Closes #859
Closes #910

[HatemMn]

Partial review only,

UI review will follow soon

As a general comment, some clippy allow might be omitted or if they are necessary is it possible to pls add a comment in from of them to explain "why" ? (otherwise they will be catched at later works)

[HatemMn]

Other than than those comments amazing work, looks good and working well !

[HatemMn]

🚀