Add RFC THV-0026 for header injection in remote MCP proxies (#26)

* Add RFC THV-0026 for header injection in remote MCP proxies

This RFC proposes server-side configuration for injecting HTTP headers
into requests forwarded to remote MCP servers. Currently, if specific
headers need to be sent to remote servers, clients must configure them
individually, which is brittle and doesn't scale across different MCP
client implementations.

The solution uses a middleware that injects configured header name-value
pairs into every request, following the existing token_injection pattern.
This provides a single, centralized configuration point for operators.

Affected components:
- thv proxy command (--remote-forward-headers flag)
- thv run command for remote URLs (--remote-forward-headers flag)
- MCPRemoteProxy Kubernetes CRD (headerForward.addHeaders field)

Related: stacklok/toolhive#3316

* Document handling of sensitive headers

Review feedback

* Address PR review: add restricted headers blocklist and middleware conflict detection

- Add restricted header blocklist (hop-by-hop, identity-spoofing, smuggling vectors)
- Add configuration-time validation for token exchange/injection conflicts
- Update middleware signature to return error on restricted headers
- Update Security Considerations with new mitigations

Author: jhrozek