feat(trust): add IP and device trust to skip repeated OTP

[kidager]

Summary

• Allow users to skip OTP verification when logging in from a trusted IP or device
• IP trust: automatically trusts the IP after successful OTP, configurable duration (minutes)
• Device trust: user opts-in via checkbox, stores trust in cookie + database, configurable duration (days) or permanent

Changes

Core Features:

• TrustStore SPI with JPA implementation for persisting trusted IPs/devices
• HMAC-signed device trust cookies to prevent tampering
• Automatic cleanup task for expired trust entries
• Admin-configurable durations for both trust types

Internationalization:

• "Don't ask for code" checkbox label with proper CLDR plural rules (33 locales)
• Moved plural logic from FreeMarker to Java (PluralRules.java) for testability
• Handles complex plural forms (Russian, Polish, Arabic, Slovenian, etc.)

Testing:

• Unit tests for entities, config helpers, plural rules, trust duration
• E2E tests for IP trust, device trust, cookie tampering, cross-realm isolation
• Consolidated CI workflow (unit + e2e tests in parallel)

Configuration

ip-trust-enabled: true/false
ip-trust-duration:
device-trust-enabled: true/false
device-trust-duration: <days, 0=permanent>

Test plan

• Unit tests pass (just test)
• E2E tests pass (just test-e2e)
• IP trust skips OTP on second login from same IP
• Device trust checkbox appears when enabled
• Tampered cookies are rejected
• Plural forms display correctly in multiple locales