feat: CEP-22 - config, capability advertisement, and server gate

[harsh04044]

Part of #87

Second PR of CEP-22. Wires up config and capability negotiation - still no chunking, that's the third PR.

What's in this PR:

OversizedTransferConfig - 10 knobs (enabled, threshold, chunk_size, max bytes/chunks/concurrent, timeouts, out-of-order limits) with builder methods. Attached to both NostrServerTransportConfig and NostrClientTransportConfig via with_oversized_transfer() and with_oversized_enabled(). Defaults to disabled.

Server advertisement - when enabled, pushes support_oversized_transfer into AnnouncementManager's internal common tags so it reaches the CEP-6 announcement (kind 11316) and the CEP-35 first-response replay. Replaced
the hardcoded oversized_enabled = false stub with the config flag, threaded through start() into event_loop.

Client advertisement - get_client_capability_tags() emits support_oversized_transfer when enabled, independent of encryption tags.

12 new tests covering defaults-off, tag emitted iff enabled, announcement includes/omits tag, first-response snapshot, and the gate truth table.

[ContextVM-org]

This PR is clean and mergeable. The config builders, server advertisement via internal_common_tags, client capability tags, and the event-loop gate all match the TS SDK reference and the spec. All tests pass.

Two issues I found:

1. SessionSnapshot does not expose supports_oversized_transfer (or the pre-existing supports_encryption / supports_ephemeral_encryption). ClientSession has the field, but get_session() and get_all_sessions() omit it from the public snapshot. External consumers cannot query learned peer capabilities through the session store API. I recommend adding all three capability fields to SessionSnapshot and updating the two snapshot constructors.

2. test_server_learns_client_oversized_only_when_enabled reimplements the gate expression in the test body rather than exercising the actual event_loop path. The inline comment is honest about this, but it means a regression in the production gate logic would not be caught. I would follow up with a lightweight integration test that feeds a tagged event through the event loop and asserts the final session state.

Minor nit: AnnouncementManager::get_capability_tags() only returns encryption tags, not all capabilities. The oversized tag bypasses this via internal_common_tags, which is architecturally fine, but the method name is misleading.

[harsh04044]

@ContextVM-org addressed all three - added supports_encryption, supports_ephemeral_encryption, and supports_oversized_transfer to SessionSnapshot, added a public session_snapshot() accessor, and added three integration tests that drive the real event loop and pin both operands of the gate. also renamed get_capability_tags() to get_encryption_capability_tags() with a doc note.