refactor: rename cookie_secret to signing_key and add JWT test coverage

Breaking changes:
- Rename cookie_secret -> signing_key for clarity (JWT signing key)
- Remove redundant CookieGenerator.Secret field (unused)

Improvements:
- Fix Content-Type matching: use HasPrefix + ToLower for RFC compliance
  - Now handles: application/x-www-form-urlencoded; charset=UTF-8
  - Case-insensitive: Application/X-WWW-Form-URLEncoded
- Add comprehensive JWT test coverage (20 tests):
  - Signature verification and tampering detection
  - Expiration validation
  - Token lifecycle and status transitions
  - Cookie generation and validation
  - Edge cases and malformed tokens

Updated:
- README: cookie_secret -> signing_key with JWT clarification
- Simplified CookieGenerator.Init() (no secret param)

All tests pass. Closes security and UX gaps in stateless captcha flow.

Author: LaurenceJJones

internal/remediation/captcha/README.md

@@ -14,7 +14,7 @@ hosts:
       timeout: 10  # HTTP client timeout in seconds (default: 5)
       pending_ttl: "30m"  # TTL for pending captcha tokens (default: 30m)
       passed_ttl: "24h"   # TTL for passed captcha tokens (default: 24h)
-      cookie_secret: "your-32-byte-minimum-secret-key-here"  # REQUIRED: Secret for signing cookies (minimum 32 bytes) - breaking change in 0.3.0
+      signing_key: "your-32-byte-minimum-secret-key-here"  # REQUIRED: Key for signing JWT tokens (minimum 32 bytes) - breaking change in 0.3.0
   - host: "*"
     captcha:
       fallback_remediation: allow
@@ -28,7 +28,7 @@ hosts:
 - `timeout` - HTTP client timeout in seconds for captcha validation requests (default: 5)
 - `pending_ttl` - Time-to-live for pending captcha tokens. Accepts Go duration format (e.g., "30m", "1h", "2h30m"). Default: "30m"
 - `passed_ttl` - Time-to-live for passed captcha tokens. Accepts Go duration format (e.g., "24h", "48h", "7d"). Default: "24h"
-- `cookie_secret` - **REQUIRED** (breaking change in 0.3.0): Secret key used for signing captcha cookies. Must be at least 32 bytes. This must be explicitly configured and should be different from `secret_key` for compliance and security best practices. For multi-instance deployments, use the same `cookie_secret` across all instances to share cookies.
+- `signing_key` - **REQUIRED** (breaking change in 0.3.0): Cryptographic key used for signing JWT captcha tokens (HMAC-SHA256). Must be at least 32 bytes. This must be explicitly configured and should be different from `secret_key` for compliance and security best practices. For multi-instance deployments, use the same `signing_key` across all instances to share tokens.
 
   To generate a secure random 32-byte secret using OpenSSL:
   ```bash