feat(auth): support RS256 + OIDC discovery (JWKS auto-fetch)

Add Jwt__Algorithm config to choose between HS256 (shared symmetric key,
existing behavior, default) and RS256 (Authority-based OIDC discovery,
public-key auto-fetch with periodic refresh).

RS256 mode makes the server compatible with any standard OAuth 2.1 / OIDC
provider (Logto, ZITADEL, Keycloak, Auth0) without requiring a shared
secret. HS256 mode remains the default for minimal self-built AS setups.

Config/JwtOptions.cs

@@ -2,18 +2,30 @@ namespace ObsidianMcp.Config;
 
 /// <summary>
 /// JWT 验签配置。
-/// 环境变量：Jwt__Issuer, Jwt__Audience, Jwt__SigningKey__Current, Jwt__SigningKey__Previous
+/// 环境变量：Jwt__Algorithm, Jwt__Issuer, Jwt__Audience, Jwt__SigningKey__Current, Jwt__SigningKey__Previous
 /// </summary>
 public class JwtOptions
 {
     public const string Section = "Jwt";
 
+    /// <summary>
+    /// JWT 签名算法。
+    /// <list type="bullet">
+    ///   <item><c>HS256</c>（默认）：与 AS 共享对称密钥（SigningKey.Current 必填）。适合自建极简 AS。</item>
+    ///   <item><c>RS256</c>：从 Issuer 走 OIDC discovery 自动拉 JWKS（含自动刷新）。
+    ///     适合任何标准 OAuth 2.1 / OIDC AS（Logto / ZITADEL / Keycloak / Auth0 等）。
+    ///     要求 Issuer 暴露 <c>/.well-known/openid-configuration</c>。</item>
+    /// </list>
+    /// </summary>
+    public string Algorithm { get; set; } = "HS256";
+
     /// <summary>期望的 iss claim（你的 auth server 的 issuer URL），必须通过 env 注入</summary>
     public string Issuer { get; set; } = string.Empty;
 
     /// <summary>期望的 aud claim，默认 obsidian</summary>
     public string Audience { get; set; } = "obsidian";
 
+    /// <summary>HS256 模式使用；RS256 模式下忽略。</summary>
     public SigningKeyPair SigningKey { get; set; } = new();
 
     public class SigningKeyPair