feat: add license validation and entitlements (Rust) (#46)

Introduces the offline license infrastructure for the Base/Premium editions.

- jsonwebtoken (EdDSA) verifies license JWTs against an embedded Ed25519
  public key. The exp claim is mandatory (CWE-613) and is enforced via
  Validation::set_required_spec_claims.
- Activation tokens (server-issued, machine-bound) prevent license.key
  copying between machines. Storage is wired up; the actual issuance flow
  ships with Issue #49.
- get_edition() fails closed to "free" when the license is missing,
  invalid, expired, or activated for a different machine.
- New commands/entitlements module centralizes feature → tier mapping so
  Issue #48 (and any future gate) reads from a single source of truth.
- machine-uid provides the cross-platform machine identifier; OS reinstall
  invalidates the activation token by design.
- Tests cover happy path, expiry, wrong-key signature, malformed JWT,
  unknown edition, and machine_id matching for activation tokens.

The embedded PUBLIC_KEY_PEM is the RFC 8410 §10.3 test vector, clearly
labelled as a development placeholder; replacing it with the production
public key is a release-time task.

.forgejo/workflows/check.yml

@@ -20,19 +20,16 @@ jobs:
       PATH: /root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
       CARGO_TERM_COLOR: always
     steps:
-      - name: Install system dependencies, Node.js and Rust
+      - name: Install system dependencies
         run: |
           apt-get update
           apt-get install -y --no-install-recommends \
             curl wget git ca-certificates build-essential pkg-config \
             libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev libssl-dev
-          # Node.js is required by actions/checkout and actions/cache (they
+
-          # are JavaScript actions and need `node` in the container PATH).
+      - name: Install Rust toolchain (stable)
-          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+        run: |
-          apt-get install -y nodejs
-          # Rust toolchain
           curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
-          node --version
           rustc --version
           cargo --version