feat: add OAuth2 Resource Server for Logto OIDC authentication

Dual auth: machine endpoints use Ed25519 JWT filter, all other API
endpoints use Spring Security OAuth2 Resource Server with Logto OIDC.
Mock JwtDecoder provided for test isolation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/main/resources/application.yml

@@ -8,6 +8,12 @@ spring:
   flyway:
     enabled: true
     locations: classpath:db/migration
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: ${LOGTO_ISSUER_URI:}
+          jwk-set-uri: ${LOGTO_JWK_SET_URI:}
 
 management:
   endpoints:
@@ -23,3 +29,7 @@ cameleer:
     expiration: 86400 # 24 hours in seconds
     private-key-path: ${CAMELEER_JWT_PRIVATE_KEY_PATH:}
     public-key-path: ${CAMELEER_JWT_PUBLIC_KEY_PATH:}
+  identity:
+    logto-endpoint: ${LOGTO_ENDPOINT:}
+    m2m-client-id: ${LOGTO_M2M_CLIENT_ID:}
+    m2m-client-secret: ${LOGTO_M2M_CLIENT_SECRET:}