feat(code): gRPC server with JWT auth + tool routing

tonic 0.14 gRPC server for sunbeam code sessions:
- bidirectional streaming Session RPC
- JWT interceptor validates tokens against Hydra JWKS
- tool router classifies calls as client-side (file_read, bash,
  grep, etc.) or server-side (gitea, identity, search, etc.)
- service stub with session lifecycle (start, chat, tool results, end)
- coding_model config (default: devstral-small-2506)
- grpc config section (listen_addr, jwks_url)
- 182 tests (5 new: JWT claims, tool routing)

phase 2 TODOs: Matrix room bridge, Mistral agent loop, streaming

Cargo.toml

@@ -38,3 +38,12 @@ uuid = { version = "1", features = ["v4"] }
 base64 = "0.22"
 rusqlite = { version = "0.32", features = ["bundled"] }
 futures = "0.3"
+tonic = "0.14"
+tonic-prost = "0.14"
+prost = "0.14"
+tokio-stream = "0.1"
+jsonwebtoken = "9"
+
+[build-dependencies]
+tonic-build = "0.14"
+tonic-prost-build = "0.14"