feat: implement mero-kms-phala service

[fbozic]

Note

Adds a TEE-aware key management service and enables optional encrypted storage in the node.

• New crates/mero-kms-phala: Axum service verifying TDX quotes and fetching deterministic keys via dstack-sdk; includes /health and /get-key endpoints, env-based config, Dockerfile, and compose file
• merod: fetches storage key from configured KMS (tee.kms.phala.url), derives attestation nonce from peer ID, and refuses to start if KMS fetch fails when TEE is configured
• New calimero-store-encryption: AES-256-GCM value encryption with HKDF-derived DEKs, key versioning/rotation; EncryptedDatabase wrapper and decrypting iterator
• calimero-store: StoreConfig supports with_encryption; transactions gain raw_put/raw_delete
• calimero-node: opens RocksDB wrapped by EncryptedDatabase when an encryption key is present
• calimero-config: adds tee → kms.phala.url types (using Url)
• CI/CD: adds mero-kms-phala binary to builds and a container release job with new prebuilt Dockerfile; minor extraction step tweak
• deny.toml: allows Dstack-TEE/dstack git source

^{Written by Cursor Bugbot for commit 9aa455a. This will update automatically on new commits. Configure here.}

[github-actions]

SDK JS Workflows Failed

The following SDK JS workflow(s) failed:

• examples/kv-store/workflows/simple-store-js.yml

Please check the workflow logs for more details.

[xilosada]

Please, address open issues

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[github-actions]

Merobox Proposals Workflows Failed

The following proposal workflow(s) failed:

• near
• icp
• ethereum

Please check the workflow logs for more details.

[github-actions]

Merobox Workflows Failed

The following workflow(s) failed after retries:

• nested-crdt-test/workflows/nested-crdt-test.yml

Please check the workflow logs for more details.