feat(web): implement secure core-web tunnel with Noise protocol (#1976)

Implement end-to-end encryption for core-web connections using the
Noise protocol framework with the following changes:

Client-side (easytier/src/web_client/):
- Add security.rs module with Noise handshake implementation
- Add upgrade_client_tunnel() for client-side handshake
- Add Noise frame encryption/decryption via TunnelFilter
- Integrate GetFeature RPC for capability negotiation
- Support secure_mode option to enforce encrypted connections
- Handle graceful fallback for backward compatibility

Server-side (easytier-web/):
- Accept Noise handshake in client_manager
- Expose encryption support via GetFeature RPC

The implementation uses Noise_NN_25519_ChaChaPoly_SHA256 pattern for
encryption without authentication. Provides backward compatibility
with automatic fallback to plaintext connections.

easytier-web/src/client_manager/session.rs

@@ -169,6 +169,16 @@ impl WebServerService for SessionRpcService {
         }
         ret
     }
+
+    async fn get_feature(
+        &self,
+        _: BaseController,
+        _: easytier::proto::web::GetFeatureRequest,
+    ) -> rpc_types::error::Result<easytier::proto::web::GetFeatureResponse> {
+        Ok(easytier::proto::web::GetFeatureResponse {
+            support_encryption: true,
+        })
+    }
 }
 
 pub struct Session {