feat: Automatic delegation sessions

[adamspofford-dfinity]

Password-protected identities will generate 'session' delegations by default so you don't have to keep entering your password.

• This happens by default whenever you use your password with an identity-based command
• This can be explicitly triggered with icp identity reauth

A user setting configures the session duration, with two more minutes tacked on to account for clock drift, or can disable the automatic form of this feature.

Only keyring storage is used, since plaintext would not be secure enough for automation. Keyring errors are not an error in the automatic path; it just uses the identity normally.

[Copilot]

Pull request overview

Adds automatic, cached “session delegation” support for password-protected PEM identities so users don’t need to re-enter passwords on every identity-based command, with an explicit icp identity login flow and a configurable session duration.

Changes:

• Introduces PEM session delegation caching (key in keyring + delegation chain on disk) and reuses it on subsequent loads.
• Adds icp settings session-length to configure/disable automatic session caching, and makes icp identity login public with PEM support.
• Updates CLI docs, changelog, and adds integration tests covering automatic + explicit session creation.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
docs/reference/cli.md	Documents icp identity login and icp settings session-length.
crates/icp/src/settings.rs	Adds session_length setting (minutes) with default and serde handling.
crates/icp/src/identity/mod.rs	Passes session duration into identity loader; makes password func clonable via Arc.
crates/icp/src/identity/key.rs	Implements session delegation load/create/store + best-effort migration/cleanup on rename/delete.
crates/icp/src/context/mod.rs	Stores password_func on Context for reuse by commands.
crates/icp/src/context/init.rs	Wires password func + session duration into Context/identity loader.
crates/icp-cli/tests/identity_tests.rs	Adds end-to-end tests for session reuse and explicit login behavior.
crates/icp-cli/src/main.rs	Loads settings to compute default session duration and passes it into context init.
crates/icp-cli/src/commands/settings.rs	Adds settings session-length subcommand and value parsing/printing.
crates/icp-cli/src/commands/identity/mod.rs	Exposes identity login (removes hidden flag).
crates/icp-cli/src/commands/identity/login.rs	Extends identity login to support PEM sessions + duration behavior.
CHANGELOG.md	Notes the new password-prompt reduction behavior for password identities.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lwshang]

Reviewed the automatic delegation sessions change — solid and well-tested. A few inline notes below.