feat(secureservice): add admission primitives

[ZanzyTHEbar]

Summary

• Add provider-neutral admission primitives to secureservice for future federated network admission support.
• Add disabled-by-default secure.admission config fields and defaults for issuer/audience/JWKS/claims/identity binding metadata.
• Add a no-op verifier and focused tests without changing handshake behavior.

Rationale

This is the first small, reviewable slice toward generic federated admission control for self-hosted Any-Sync networks. It intentionally avoids provider-specific assumptions and does not wire admission into runtime authentication yet.

Security

• No authentication behavior changes in this PR.
• Admission is disabled by default.
• No secrets or provider-specific configuration are introduced.
• Future PRs can implement JWT/JWKS verification behind the new AdmissionVerifier interface.

Validation

• PASS: go test ./net/secureservice
• PASS: go test ./net/secureservice/handshake
• PASS: go test ./... -run '^$'
• KNOWN UNRELATED FAILURE: go test ./... fails in github.com/anyproto/any-sync/net/rpc/limiter at TestLimiter_Concurrent_Bursts; rerunning go test ./net/rpc/limiter reproduces the same threshold failure.

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[ZanzyTHEbar]

I have read the CLA Document and I hereby sign the CLA

[ZanzyTHEbar]

recheck