Implement the arti hsc prepare-stealth-mode-key subcommand

See the proposal in !1987 (comment 2996998)

• Pick a name for the subcommand (prepare-restricted-mode-key? prepare-shielded-mode-key?)
• Implement the subcommand:

   arti hsc prepare-stealth-mode-key
        --hs[-]nick[name] ...      # no default, option has shorter convenience aliases
        [ --config arti.toml ]     # default is default arti.toml
        [ --keystore ... ]         # default is `default`; no client nicknames yet
        [ --output FOO.auth ]      # default is <hs-nickname>.auth, use `-` for stdout
        [ --overwrite ]            # overwrites any existing output file; default is to refuse
        [ --generate=no|yes|if-needed ]     # if-needed is the default; otherwise, can error

This depends on #1283 (closed), #1284 and #1291 (closed)