[codex] Secure notary holder binding defaults

[jeremi]

Summary

Fixes #172.

• Default Registry Notary credential profiles to holder_binding.mode: did with allowed_did_methods: [did:jwk].
• Keep unbound credentials available only through explicit holder_binding.mode: none, and add a registry-notary doctor warning for those profiles.
• Update tests, benchmark/test helper profiles that intentionally remain unbound, and Notary operator docs/changelog migration notes.

Impact

Omitting holder_binding now makes direct SD-JWT VC issuance require holder material before a credential can be minted. Existing deployments that intentionally issue bearer-style credentials need to set holder_binding.mode: none explicitly.

Validation

Passed:

• cargo fmt --all
• cargo fmt --all -- --check
• git diff --check
• cargo test -p registry-notary-core holder_binding
• cargo test -p registry-notary --test doctor_cli doctor_json_warns_on_explicit_unbound_credential_profile
• cargo test -p registry-notary-server issued_sd_jwt_disclosure_uses_view_claim_redacted_object_value
• cargo test -p registry-notary-server --test memoization_test subjects_sharing_memoized_read_produce_identical_iat
• cargo metadata --locked --all-features --format-version 1
• cargo check --locked --workspace --all-features

Attempted but did not complete:

• just ci-preflight from products/notary: the script copies products/notary/ to a temp workspace and then runs Cargo there, but this checkout's Cargo.toml is at the repository root, so it exits before checks with could not find Cargo.toml.
• cargo clippy -p registry-notary-core -p registry-notary-server -p registry-notary --all-targets --all-features -- -D warnings: failed on existing unrelated lints in registry-notary-core/src/config.rs and registry-notary-server/src/api.rs (unnecessary_map_or, needless_borrow, and too_many_arguments).