Implement cryptographic signature verification in Nexus module

Package: packages/agent-os/modules/nexus/

What

The Nexus module (agent registry and escrow) has TODO comments marking unimplemented cryptographic signature verification:

• registry.py — TODO: Verify signature against verification key (2 occurrences)
• escrow.py — TODO: Generate actual signature

These are security-critical paths where agents register identities and escrow capabilities.

Why

Without actual signature verification, agents could register with forged identities. This is a security gap in the trust chain.

How

1. Look at how signing is implemented in packages/agent-mesh/src/agentmesh/trust/ for the pattern
2. In registry.py: use the agent's public key to verify the signature on registration payloads
3. In escrow.py: generate Ed25519 signatures using the agent's private key
4. The toolkit uses cryptography and pynacl — both are already dependencies
5. Add tests that verify: valid signatures pass, tampered payloads fail, wrong keys fail

Reference

• Trust signing pattern: packages/agent-mesh/src/agentmesh/trust/identity.py
• Cryptography docs: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed25519/

Acceptance Criteria

• registry.py verifies signatures using Ed25519 public keys
• escrow.py generates Ed25519 signatures
• Tests cover: valid sig, tampered payload, wrong key, expired cert
• No TODO comments remain in security-critical paths