Feat/exchange provider token for jwt

[MP-Tool]

PR: Add ExchangeProviderTokenForJwt (RFC 8693 Token Exchange)

Adds a new login path that lets external clients exchange an already-established OAuth provider token directly for a Komodo JWT — no second browser redirect needed. Related to the Komodo feature request #1406

What changed

New API types (auth/client/rs, auth/client/ts)
SubjectTokenType enum with three variants — OidcIdToken, GoogleIdToken, GitHubAccessToken — using RFC 8693 field names (subject_token_type, subject_token). Registered in LoginRequest, OpenAPI schema, and the generated TypeScript client.

AuthImpl trait extension (auth/server/src/lib.rs)
Three new default methods: exchange_and_validate_oidc_token, exchange_and_validate_github_token, exchange_and_validate_google_token. Each defaults to a "Must implement" error — no existing implementation breaks at compile time.

OIDC provider (auth/server/src/provider/oidc.rs)
New public validate_id_token_and_extract_subject for stateless ID token validation: verifies signature, issuer, audience, and expiry; skips nonce and access_token_hash, which don't apply to direct token exchange. Internally reuses the newly extracted private helper validate_id_token_claims, which also eliminates the duplicated additional_audiences verifier logic from the existing authorization code flow.

Login endpoint (auth/server/src/api/login/mod.rs)
Resolve<LoginArgs> impl for ExchangeProviderTokenForJwt: dispatches on subject_token_type, calls the matching AuthImpl method, mints a JWT for the returned subject. Rate-limited and instrumented identically to ExchangeForJwt. The existing ExchangeForJwt resolver was refactored to extract a private helper — no behaviour change.

Tests — 21 unit tests: JWT subject verification for all three providers, per-provider rejection, empty token, and cross-provider routing (a token accepted by one SubjectTokenType must be rejected by any other).