[Documentation] Add security comment explaining JWT signature skip

[cbcoutinho]

Context

From PR #401 code review - Low priority code documentation.

Problem

At token_broker.py:535, JWT signature verification is skipped during decoding. This is intentional and secure (introspection provides validation), but lacks explanatory comment.

Current Code:

# Line 535
jwt.decode(access_token, options={"verify_signature": False})

Proposed Comment:

# Skip JWT signature verification here because:
# 1. Token was already validated via introspection (line X)
# 2. We only need to extract claims (sub, exp, scope)
# 3. IdP signature verification happens server-side during introspection
# This is safe and avoids needing IdP's public key for signature verification
jwt.decode(access_token, options={"verify_signature": False})

Benefits

• Prevents future developers from "fixing" this as a security bug
• Documents the security model
• Explains why introspection-based validation is sufficient

References

• File: nextcloud_mcp_server/auth/token_broker.py:535
• Related to PR feat(astrolabe): Nextcloud app UI with PDF viewer, webhooks, and OAuth refresh #401 security fixes

Priority

Low - Documentation only, no functional change