Collapse CIMDFetcher onto ssrf_safe_fetch, remove redundant SSRF tests

CIMDFetcher.fetch() was a near-duplicate of ssrf_safe_fetch (DNS pinning,
streaming, size limits, timeouts). Replace with a direct call + simple TTL
cache, cutting ~280 lines. HTTP cache revalidation (ETag/304/Cache-Control)
removed in favor of a 1-hour TTL—these are static config documents.

Delete test_cimd_ssrf_protection.py (643 lines) since CIMD no longer has
its own SSRF implementation to test. Remove broken ssrf_safe_stream. Add
explicit timeout to non-SSRF JWKS fetch path. Bound verifier cache size.

Author: jlowin

loq.toml

@@ -12,7 +12,7 @@ exclude = [
 
 [[rules]]
 path = "src/fastmcp/server/auth/cimd.py"
-max_lines = 683
+max_lines = 651
 
 [[rules]]
 path = "src/fastmcp/server/auth/oauth_proxy.py"
@@ -48,7 +48,7 @@ max_lines = 954
 
 [[rules]]
 path = "tests/server/auth/test_cimd.py"
-max_lines = 672
+max_lines = 973
 
 [[rules]]
 path = "tests/server/middleware/test_tool_injection.py"