Introduces a `nats` feature-gated event system that publishes
lease lifecycle events (issued, revoked, revocation_failed) to NATS
subjects under a configurable prefix.
- Add `VaultEvent` enum with serde tag-based serialization
- Add `VaultEventPublisher` with best-effort fire-and-forget semantics
- Add `NatsVaultConfig` with sensible defaults (disabled by default)
- Wire `VaultEventPublisher` into `LeaseRevocationWorker`
- Gate all event code behind `#[cfg(feature = "nats")]`
SurrealDBBackend was backed by Arc<RwLock<HashMap>> — no connection to
SurrealDB whatsoever. Rewrite to a real Surreal<Any> connection:
- engine::any dispatch: mem:// (embedded, tests) and ws://wss:// (prod)
- All 11 StorageBackend methods: SurrealQL upsert/select/delete/query
- Vec<u8> fields base64-encoded; timestamps as RFC3339 UTC strings
- MVCC write-conflict retry: exponential backoff 5ms→80ms + uniform
jitter, 5 attempts — resolves SurrealDB optimistic-concurrency errors
under concurrent load without external locking
- Mirror ID fields in records to avoid RecordId enum parsing in lists
- 9 unit tests (mem://, no server) + 19 integration tests with UUID
database isolation; concurrent coverage: 16 secret + 8 key writers
- Add badges, competitive comparison, and 30-sec demo to README
- Add Production Status section showing OQS backend is production-ready
- Mark PQC KEM/signing operations complete in roadmap
- Fix GitHub URL
- Create CHANGELOG.md documenting all recent changes
Positions SecretumVault as first Rust vault with production PQC.
