feat: support JWT_JWKS for metrics endpoint auth (as alternative to METRICS_JWT_SECRET)

[ElemTran]

Problem

Currently the metrics endpoint in realtime hard-requires METRICS_JWT_SECRET
(HS256 symmetric) and crashes at boot if it is missing:

# config/runtime.exs (PR #1729, v2.103+)
metrics_jwt_secret =
  if config_env() == :test do
    System.get_env("METRICS_JWT_SECRET")
  else
    System.fetch_env!("METRICS_JWT_SECRET")  # crashes on missing
  end

Meanwhile, the WebSocket/API endpoint already supports API_JWT_JWKS for both
ES256 and HS256 verification. This creates an inconsistency:

endpoint	auth variable	formats
API	API_JWT_JWKS	ES256 + HS256
metrics	METRICS_JWT_SECRET	HS256 only

In self-hosted setups that are migrating to asymmetric signing (ES256 via
GOTRUE_JWT_KEYS), we still have to maintain a separate HS256 symmetric key
just for realtime metrics — even though JWT_JWKS already contains the same
HS256 key material plus the ES256 public keys.

Proposal

Allow metrics_jwt_secret to fall back to API_JWT_JWKS:

metrics_jwt_secret =
  cond do
    config_env() == :test -> System.get_env("METRICS_JWT_SECRET")
    jwt_jwks = System.get_env("API_JWT_JWKS") -> jwt_jwks
    true -> System.fetch_env!("METRICS_JWT_SECRET")
  end

Or alternatively, accept a JWKS directly so the metrics plug can verify ES256
tokens the same way the API plug does.

Benefit

• One less env var for self-hosted operators to configure
• Consistent auth across all realtime endpoints
• Reduces the surface area of symmetric key references (better security posture
  when migrating to asymmetric signing)