v0.2.0: silent-drop handshake authentication

Adds optional ALPN-based handshake authentication: when QUICSSH_AUTH_SECRET
is set on both client and server, the client embeds an HMAC-SHA256 token
(keyed by the secret and a 30s time window) in the TLS ALPN extension of
its Initial packet, and the server inspects each incoming Initial's
ClientHello before any response goes on the wire. Unauthenticated
connection attempts are silently dropped at the UDP layer — the port
appears closed to scanners.

Verified by packet capture: zero response packets are sent to clients
presenting a wrong or missing token; matching clients see a normal QUIC
handshake. Tolerates ±30s clock skew between client and server.

Implementation notes:
- Bumps quinn 0.10 → 0.11, rustls 0.21 → 0.23, rcgen 0.12 → 0.13.
- Uses quinn::Incoming::ignore() for the silent-drop path. ClientHello
  inspection relies on Incoming::handshake_bytes(), added in a small
  patch to quinn vendored at vendor/quinn (submodule on the
  aiguy110/quinn fork; upstream PR quinn-rs/quinn#2644).
- Server rotates the valid token set every WINDOW_SECS/2 to keep the
  current ±1 windows accepted at all times.
- When QUICSSH_AUTH_SECRET is unset, behaviour is identical to v0.1.x:
  no authentication, any client can connect.

Author: aiguy110

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "vendor/quinn"]
+	path = vendor/quinn
+	url = https://github.com/aiguy110/quinn.git