Azure EKM key lifecycle synchronization

[Manuthor]

Summary

The existing Azure EKM proxy routes cryptographic operations to Cosmian KMS correctly. However, key lifecycle events in Azure Key Vault (key version creation, rotation, expiry, revocation) are not reflected in Cosmian KMS, and vice versa. This creates configuration drift in hybrid deployments.

Impact

• Key rotation triggered in Azure does not propagate to Cosmian KMS, causing the proxy to use stale key material
• Expiry events in Azure cause silent failures in the EKM proxy
• Hybrid deployments require manual synchronization, which is error-prone and difficult to audit

Implementation plan

1. New scheduled task in crate/server/src/cron.rs:
   • Poll Azure Key Vault API for key version changes on a configurable interval
   • Sync new Azure key versions as KMIP key objects linked to the existing EKM namespace
2. Inbound event handler for Azure Event Grid:
   • Handle KeyNearExpiry and KeyExpired events
   • Trigger auto-rotation via the key rotation pipeline (requires Scheduled / policy-driven key auto-rotation #859)
3. New config block:

   [integrations.azure_ekm.lifecycle_sync]
   enabled = false
   poll_interval_secs = 3600
   event_grid_webhook_secret = "${AZURE_EKM_WEBHOOK_SECRET}"

Files: crate/server/src/cron.rs, crate/server/src/routes/azure_ekm/
Effort: Medium (3-4 weeks) | Requires #859 (key rotation)