Agent-side device unbind / factory-reset + re-pair (method-A lifecycle)

[hanwencheng]

Split out of the method-A pairing-adoption PR (agent-initiated pairing: agent submits a request → master claims by scanning the code) to keep that PR focused on the pairing-direction flip. This issue is the device lifecycle half: unbind / factory-reset → re-pair to a (possibly new) owner.

Feature

agentkeys device unbind (and/or a daemon --unbind one-shot) = wipe the device's K10 + session + sidecar state locally. On the next --request-pairing the device mints a fresh key and shows a new pairing code; a (new) master claims it. The old on-chain binding orphans — inert, because the old key is destroyed and can never sign/mint again.

This is the IoT factory-reset → resell / re-onboard lifecycle that motivated method A in the first place (a no-input device the new owner re-pairs by scanning a fresh QR).

Scope

• Daemon: --unbind (wipe K10/session/sidecar; idempotent).
• CLI: agentkeys device unbind surface + confirmation.
• Harness: an unbind → re-pair test (asserts a fresh device_key_hash + a real registerAgentDevice, distinct from the prior binding).
• docs/operator-runbook-wire.md: a factory-reset / re-pair section.

Relation to #155

• SidecarRegistry: agent/device-initiated on-chain self-revocation (device-key-signed revoke) #155 = the on-chain device self-revocation (a contract change to SidecarRegistry so the device can clear its own binding on-chain — Heima-mainnet redeploy + migration).
• This issue = the client-side unbind + re-pair (local re-key, orphan the old binding). It ships independently of SidecarRegistry: agent/device-initiated on-chain self-revocation (device-key-signed revoke) #155: re-pair-with-a-fresh-key works today because the old key is destroyed; SidecarRegistry: agent/device-initiated on-chain self-revocation (device-key-signed revoke) #155 later adds the on-chain cleanup of the orphaned row.

References

• Method-A pairing PR (branch claude/agent-initiated-pairing) + docs/spec/plans/agent-initiated-pairing-method-a.md.
• SidecarRegistry: agent/device-initiated on-chain self-revocation (device-key-signed revoke) #155 (on-chain self-revoke), arch.md §10.2 (bootstrap) + §10.3 (rotation/revocation).