feat(secureservice): add JWT admission verifier

[ZanzyTHEbar]

Stack

This is the second PR in the federated admission stack and is intentionally marked draft until #680 lands.

1. feat(secureservice): add admission primitives #680 adds provider-neutral admission primitives and config.
2. This PR adds a static JWKS-backed JWT admission verifier behind that interface.

Please review this PR as the delta after #680.

Summary

• Add a provider-neutral JWT AdmissionVerifier implementation backed by a static JWKS document.
• Validate token signature, issuer, audience, expiry, network id, Anytype identity binding, subject, and required claims.
• Support standard asymmetric JWT algorithms (RS256/384/512, ES256/384/512, EdDSA) without wiring the verifier into the handshake yet.

Security

• No runtime authentication behavior changes in this PR.
• No provider-specific logic or Authentik-specific assumptions.
• Rejects unsigned/unsupported algorithms by construction.
• Binds the JWT identity claim to the presented Anytype account identity to prevent token reuse with another identity.

Validation

• PASS: go test ./net/secureservice
• PASS: go test ./net/secureservice/handshake
• PASS: go test ./... -run '^$'
• KNOWN UNRELATED FAILURE: go test ./... fails in github.com/anyproto/any-sync/net/rpc/limiter at TestLimiter_Concurrent_Bursts; this was reproduced before this PR and still reproduces.

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[ZanzyTHEbar]

I have read the CLA Document and I hereby sign the CLA

[ZanzyTHEbar]

recheck