feat(nat): apply Mick's TLS-derived identity + coordinator rotation fixes

Incorporates saorsa-core PR #75 and saorsa-transport PR #52:

saorsa-core:
- Eliminate IDENTITY_ANNOUNCE_PROTOCOL entirely. Peer identity derived
  synchronously from TLS ML-DSA-65 SPKI during QUIC handshake.
- IDENTITY_EXCHANGE_TIMEOUT dropped from 15s to 2s (safety net only).
- Dial coalescing via inflight_dials DashMap prevents duplicate connections.
- wait_for_peer_identity rewritten from polling to event-driven Notify.
- Two-phase PeerConnected (TLS handshake, then first signed message).
- Referrer ranking: round-aware, trust-scored, deterministic tiebreak.
- Bootstrap peer shuffling for load distribution.

saorsa-transport:
- TLS-key-based connection dedup at accept (fixes symmetric NAT rebinding).
- RelaySlotTable: node-wide coordinator back-pressure (32 slots, 5s idle).
- Coordinator rotation timeout 1.5s -> 4s, multi-coordinator list.
- Per-rotation direct probe removed (was causing duplicate connections).
- Relay fallback rotates through all candidates.
- Reachability model: scope-aware, peer-verified, TTL-based.
- Rate limit 50 -> 300 per 60 seconds.
- Panic sites removed, safe indexing throughout.
- Coordination table cleanup implemented (60s TTL).

492 ant-node tests pass.

Author: grumbach