Add peer security configuration

[rchatham]

Summary

• add PeerConnectivity-security.plan as the phased security roadmap for PeerConnectivity
• introduce PeerSecurityConfiguration, PeerCertificatePolicy, and PeerInvitationPolicy
• thread session security settings into MCSession creation
• replace hardcoded certificate acceptance with explicit policy handling
• preserve .receivedCertificate as an observation-only compatibility event
• add PeerDiscoveryInfo support for advertised Bonjour discovery metadata
• surface browser-provided discovery metadata with foundPeerWithDiscoveryInfo while preserving existing foundPeer events
• replace blind .automatic invitation acceptance with policy-based handling
• preserve .receivedInvitation for manual invitation policy and non-automatic connection types
• add non-breaking validation helpers for MultipeerConnectivity service types and display names
• document display name privacy and service type constraints
• expose PeerConnectivityUI browser peer filtering via discovery metadata
• update the demo app with selectable security modes for open, encrypted, manual invitation, filtered browser, and reject-certificate flows
• fix the demo workspace local package reference so it resolves from repo/worktree checkouts

Verification

• git diff --check
• swift build && swift test
• swift test after Phase 2 discovery metadata changes
• swift test after Phase 3 invitation policy changes
• swift test after Phase 4 validation/privacy hardening changes
• swift test after Phase 5 browser filtering changes
• swift test after certificate compatibility fix
• swift test after demo coverage changes
• xcodebuild build -workspace PeerConnectivity.xcworkspace -scheme PeerConnectivityUI -destination 'platform=iOS Simulator,name=iPhone 16,OS=18.3.1' -configuration Debug
• xcodebuild test -workspace PeerConnectivity.xcworkspace -scheme PeerConnectivity -destination 'platform=iOS Simulator,name=iPhone 16,OS=18.3.1' -configuration Debug
• xcodebuild build -project PeerConnectivityDemo.xcodeproj -scheme PeerConnectivityDemo -destination 'platform=iOS Simulator,name=iPhone 16,OS=18.3.1' -configuration Debug

Notes

• Security defaults remain backward-compatible: optional encryption, no security identity, accept-all certificate policy, and accept-all automatic invitation policy.
• Certificate decisions now live in PeerSecurityConfiguration.certificatePolicy.
• .receivedCertificate remains observable for API compatibility, but its supplied handler is observation-only and does not affect the certificate decision.
• Discovery info is public, unauthenticated Bonjour TXT record metadata; docs warn not to include secrets, tokens, emails, stable user IDs, or sensitive device information.
• Existing .foundPeer(peer:) events are preserved; metadata is exposed through the additional .foundPeerWithDiscoveryInfo(peer:discoveryInfo:) event.
• Source compatibility note: PeerConnectionEvent has a new .foundPeerWithDiscoveryInfo(peer:discoveryInfo:) case. Existing exhaustive switches over PeerConnectionEvent may need a new case or default.
• Invitation context is received before session establishment and should be treated as public, unauthenticated metadata.
• Service type and display name validation helpers are advisory/non-breaking; initialization behavior is unchanged.
• Browser peer filtering is synchronous and defaults to presenting all peers when no filter is supplied.
• The demo app can be run on two simulators/devices to manually exercise the new security and discovery flows.

Follow-up

• Security plan phases 1–5 are implemented for this PR.
• Potential future work: typed Codable helpers for invitation context or stronger service type wrapper APIs.