feat: dual-mode auth (Ed25519 + OAuth) and challenge deprecation

[shivdeep1]

Summary

• Rename verify_signature node to verify_identity with dual-mode support
• Accept both Ed25519 signatures and OAuth bearer tokens for identity verification
• OAuth validation uses conditional import (graceful fallback when module absent)
• Disable semantic challenge by default (challenge_fallback_mode=disabled)
• Route directly to issue_verdict when challenge disabled

Test plan

• Ed25519 signature verification still works (backward compat)
• OAuth bearer token path works (with mocked validator)
• Graceful fallback when OAuth module not installed
• Challenge disabled routes to issue_verdict
• OAuth subject mismatch falls back to Ed25519
• Bearer token extraction helper (present/absent/non-bearer/case-insensitive)
• Challenge re-enabled via config patch routes to semantic_challenge
• All 770 existing tests pass (no regressions)