refactor: unify JwtOptions schema with obsidian-mcp + simplify deploy

- Config/JwtOptions: flatten SigningKeyCurrent/Previous into nested
  SigningKey { Current, Previous } class to match obsidian-mcp shape.
  Both services now bind the same env var pattern (Jwt__SigningKey__Current),
  removing the schema fork that caused gitea-mcp to start with empty keys
  when compose used the obsidian-mcp convention.
- Auth/JwtBearerSetup, appsettings.json, README: follow rename.
- .gitea/workflows/build-image.yml: deploy job no longer clones nas-infra
  to a temp dir (which lacks the gitignored .env.shared). Now cd directly
  into /volume1/docker/compose/gitea-mcp, exposed by gitea-runner mount.

Auth/JwtBearerSetup.cs

@@ -55,14 +55,14 @@ public static class JwtBearerSetup
     /// </summary>
     private static IEnumerable<SecurityKey> BuildSigningKeys(JwtOptions opts)
     {
-        if (string.IsNullOrWhiteSpace(opts.SigningKeyCurrent))
+        if (string.IsNullOrWhiteSpace(opts.SigningKey.Current))
             throw new InvalidOperationException(
-                "Jwt:SigningKeyCurrent 未配置，gitea-mcp 无法启动。" +
+                "Jwt:SigningKey:Current 未配置，gitea-mcp 无法启动。" +
                 "请在 .env.shared 设置 JWT_SIGNING_KEY_CURRENT 与 nas-auth 共用。");
 
-        yield return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(opts.SigningKeyCurrent));
+        yield return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(opts.SigningKey.Current));
 
-        if (!string.IsNullOrWhiteSpace(opts.SigningKeyPrevious))
-            yield return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(opts.SigningKeyPrevious));
+        if (!string.IsNullOrWhiteSpace(opts.SigningKey.Previous))
+            yield return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(opts.SigningKey.Previous));
     }
 }