feat(scitt): add SCITT verification support with headers and error ha…

[kperry-godaddy]

…ndling

[csnitker-godaddy]

All three findings from the review pass are resolved:

1. CurrentHeaders expired-token suppression — verify/scitt/supplier.go:166-172 now reads tokenExp under the RLock and suppresses the token when now >= exp. Matches Rust supplier semantics. Boundary behavior (now == exp → suppressed) is pinned by test.

2. Clock-skew clamp + overflow guard — verify/scitt/status_token.go:88-93 clamps clockSkew to [0, MaxClockSkew] before the int64 conversion, closing the overflow path. WithSupplierClockSkew applies the same clamp, so the agent-side bypass is also closed. TestVerifyStatusTokenAt_ClockSkewClamping exercises math.MaxInt64 directly.

3. ans_name required at decode — decodeStatusPayload now rejects tokens missing ans_name, and verify.go:598-606 drops the if != "" guard with a comment documenting the invariant. Matches Rust oracle.

The follow-up nil-logger guard at supplier.go:167-171 is also correct and has a dedicated regression test (nilLogger: true).

Full test suite passes. LGTM.