refactor: unify JwtOptions schema with obsidian-mcp + simplify deploy

- Config/JwtOptions: flatten SigningKeyCurrent/Previous into nested
  SigningKey { Current, Previous } class to match obsidian-mcp shape.
  Both services now bind the same env var pattern (Jwt__SigningKey__Current),
  removing the schema fork that caused gitea-mcp to start with empty keys
  when compose used the obsidian-mcp convention.
- Auth/JwtBearerSetup, appsettings.json, README: follow rename.
- .gitea/workflows/build-image.yml: deploy job no longer clones nas-infra
  to a temp dir (which lacks the gitignored .env.shared). Now cd directly
  into /volume1/docker/compose/gitea-mcp, exposed by gitea-runner mount.

Config/JwtOptions.cs

@@ -3,6 +3,7 @@ namespace GiteaMcp.Config;
 /// <summary>
 /// JWT 验签配置，与 nas-auth / obsidian-mcp 共用同款 HS256 对称密钥。
 /// ValidIssuer = auth.zhengchentao.win，ValidAudience = gitea。
+/// 环境变量：Jwt__Issuer, Jwt__Audience, Jwt__SigningKey__Current, Jwt__SigningKey__Previous
 /// </summary>
 public class JwtOptions
 {
@@ -11,12 +12,14 @@ public class JwtOptions
     public string Issuer { get; set; } = "https://auth.zhengchentao.win";
     public string Audience { get; set; } = "gitea";
 
-    /// <summary>当前签名密钥（HS256 对称密钥，base64 或原文均可，长度 >= 32 字节）</summary>
-    public string SigningKeyCurrent { get; set; } = string.Empty;
+    public SigningKeyPair SigningKey { get; set; } = new();
 
-    /// <summary>
-    /// 上一轮密钥（轮换窗口内保留，允许旧 Token 继续使用）。
-    /// 留空表示不存在旧密钥。
-    /// </summary>
-    public string SigningKeyPrevious { get; set; } = string.Empty;
+    public class SigningKeyPair
+    {
+        /// <summary>当前签名密钥（HS256 对称密钥），env: Jwt__SigningKey__Current</summary>
+        public string Current { get; set; } = string.Empty;
+
+        /// <summary>上一轮密钥，密钥轮换过渡期用，env: Jwt__SigningKey__Previous（可为空）</summary>
+        public string? Previous { get; set; }
+    }
 }