feat(cli): implement device revoke

- Remove device from devices.json
- Append to revoked.json with timestamp and revoked_by
- Delete Gitea deploy key (best-effort, warns if env vars missing)
- Always commit both devices.json and revoked.json together
- Print revoked signing public key for audit confirmation
- Guard against revoking the current device (would lose push access)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

crates/relicario-cli/src/main.rs

@@ -2482,13 +2482,13 @@ fn cmd_device(action: DeviceAction) -> Result<()> {
                 }
             }
 
-            // Commit devices.json + revoked.json.
-            let mut paths = vec![".relicario/devices.json"];
-            if revoked_path.exists() {
-                paths.push(".relicario/revoked.json");
-            }
-            let mut add_args = vec!["add"];
-            add_args.extend_from_slice(&paths);
+            // Commit devices.json + revoked.json (always both — revoked.json
+            // was just written above so it is guaranteed to exist).
+            let add_args = [
+                "add",
+                ".relicario/devices.json",
+                ".relicario/revoked.json",
+            ];
             let status = crate::helpers::git_command(&root, &add_args).status()?;
             if !status.success() {
                 anyhow::bail!("git add failed");
@@ -2501,6 +2501,7 @@ fn cmd_device(action: DeviceAction) -> Result<()> {
             }
 
             eprintln!("Device '{}' revoked.", name);
+            eprintln!("Revoked signing key: {}", device.public_key);
             Ok(())
         }