feat(http/unstable): add RFC 9421 message signatures

[tomas-zijdemans]

Add HTTP Message Signatures (RFC 9421) for signing and verifying HTTP requests and responses. Builds on the structured fields module (RFC 8941) already in std.

Coverage is as good as I can get it. There are a few lines of unreachable code.

[codecov]

Codecov Report

❌ Patch coverage is 99.18699% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 94.55%. Comparing base (a864f62) to head (88327e3).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
http/unstable_message_signatures.ts	99.18%	1 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7039      +/-   ##
==========================================
+ Coverage   94.50%   94.55%   +0.05%     
==========================================
  Files         630      631       +1     
  Lines       50777    51392     +615     
  Branches     9037     9235     +198     
==========================================
+ Hits        47985    48595     +610     
- Misses       2224     2225       +1     
- Partials      568      572       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bartlomieju]

Thanks for the thorough implementation! A few things to address:

badge.svg changes don't belong in this PR — The reformatting of the SVG is unrelated to message signatures. Please drop it from the branch (or submit separately).

[tomas-zijdemans]

T%hanks for the feedback!

• Revert unrelated badge.svg change. Ooops! 🫣
• Fix silent ECDSA curve fallback
• Fix same class of bug for HMAC, RSA-PSS, and RSASSA-PKCS1-v1_5
• Document ;bs limitation: add warnings in JSDoc
• Add RFC citation for duplicate @query-param rejection. The throw is mandated by RFC 9421 section 2.2.8 ("the named query parameter MUST NOT be included")
• Remove redundant ?? undefined in verifyMessage.
• Add tests. Coverage can't reach 100% becuase of unreachable code

[bartlomieju]

Previous round's feedback is fully addressed (ECDSA/HMAC/RSA-PSS throws, ;bs docs, @query-param RFC citation). This is a solid RFC 9421 implementation — well-structured, thorough tests, good use of the existing structured fields module.

A couple of things I'd like addressed before approving:

[tomas-zijdemans]

Thanks,

• Added a ;sf List fallback test using header "1, 2, 3", asserting reserialized output to exercise the untested branch.
• Added assertUniqueLabel that throws TypeError on label collision in either Signature-Input or Signature header, per RFC 9421 §4.