feat: add experimental rust validation middleware

[lucarlig]

✨ Feature / Enhancement PR

🔗 Epic / Issue

No linked issue.

---

🚀 Summary (1-2 sentences)

Adds an experimental opt-in Rust implementation for mcpgateway/middleware/validation_middleware.py that moves the validation hot path into a compiled PyO3 extension while preserving Python fallback behavior when the extension is unavailable.

---

🧪 Checks

• make lint passes
• make test passes
• CHANGELOG updated (if user-facing)

---

📓 Notes (optional)

This branch was benchmarked in two ways against the Python baseline.

1. Focused validation microbenchmark
   This benchmark isolates the validation middleware hot path and measures validation cost directly on representative payload shapes. It is useful for showing the Rust validator speedup without unrelated framework overhead.

Scenario	What is being tested	Python median	Rust median	Speedup
small_safe	Small safe JSON payload	0.002 ms	0.001 ms	1.56x
unicode_safe_long	Long safe Unicode-heavy string validation	0.010 ms	0.005 ms	1.87x
nested_safe	Large nested safe JSON payload traversal	0.173 ms	0.036 ms	4.79x
deep_nested	Deep nested JSON traversal and depth-safe validation	1.355 ms	0.366 ms	3.71x
dangerous_string	Rejection of dangerous content in JSON strings	0.509 ms	0.100 ms	5.07x
mixed_params_json	Request path combining parameter checks with JSON validation	0.002 ms	0.002 ms	1.41x

2. End-to-end validation benchmark
   This benchmark uses Locust against /protocol/initialize with validation enabled and a validation-heavy mix of accepted and rejected JSON payloads. It exercises the real FastAPI request path, including request parsing, auth, middleware validation, and route handling.

Scenario	What is being tested	Python median	Rust median	Python RPS	Rust RPS	Latency speedup	Throughput gain
safe-large	Accepted large initialize payload through the full request path	180 ms	160 ms	244.94	255.95	1.12x	1.04x
rejected-large	Rejected large initialize payload returning 422 through the full request path	110 ms	100 ms	82.09	86.99	1.10x	1.06x
aggregated	Combined accepted and rejected validation-heavy traffic	160 ms	150 ms	327.03	342.94	1.07x	1.05x

The end-to-end run was executed in production-mode validation semantics so rejected payloads were actually blocked instead of only logged.

No ADR added because this remains an experimental opt-in implementation behind a feature flag and does not change the default architecture.

---

Refs #1807

[lucarlig]

check if anything from #4204 applies to changes here