fix(deps): drop explicit pin on Microsoft.IdentityModel.Tokens

Same fix as obsidian-mcp: JwtBearer 10.0.x's transitive JsonWebTokens 9.x
calls Decode(ReadOnlySpan, Span) which is only in Tokens 9.x. Explicit
pin to 8.* forces downgrade → MissingMethodException → 401 on every
JWT validation.

gitea-mcp.csproj

@@ -21,9 +21,12 @@
     <PackageReference Include="ModelContextProtocol" Version="0.*" />
     <PackageReference Include="ModelContextProtocol.AspNetCore" Version="0.*" />
 
-    <!-- JWT Bearer 认证（与 nas-auth 同款 HS256） -->
+    <!-- JWT Bearer 认证（与 nas-auth 同款 HS256）。不显式 pin
+         Microsoft.IdentityModel.Tokens：JwtBearer 10.0.x 传递依赖
+         Microsoft.IdentityModel.JsonWebTokens 9.x，调 Base64UrlEncoder.Decode
+         (ReadOnlySpan, Span) 在 Tokens 9.x 才有；显式 pin 8.* 会 downgrade Tokens
+         → runtime MissingMethodException → 任何 JWT 验证 401。 -->
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.*" />
-    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.*" />
 
     <!-- HttpClient 弹性策略（retry + backoff） -->
     <PackageReference Include="Microsoft.Extensions.Http.Resilience" Version="9.*" />