docs(ap2): add HTTP Message Signing -- RFC 9421 binding for AP2 mandate exchanges (AlgoVoi-authored)

[chopmob-cloud]

Summary

Adds docs/ap2/http_message_signing.md -- the AlgoVoi-authored binding of RFC 9421 (HTTP Message Signatures) and RFC 9530 (Digest Fields) to AP2 payment mandate HTTP exchanges.

• Minimum normative covered component set for AP2 mandate requests: @method, @authority, @path, content-digest
• Content-Digest discipline: sha-256 mandatory, sha-512 recommended above 4096 bytes
• Multi-hop proxy-chain survival property: original Signature and Signature-Input headers MUST be preserved end-to-end
• Composes with JCS payload canonicalisation: RFC 9421 signs the HTTP envelope; JCS canonicalises the mandate body

Reference implementation (Apache 2.0): algovoi-rfc9421-verifier on PyPI, @algovoi/rfc9421-verifier on npm.

Conformance fixture: chopmob-cloud/algovoi-jcs-conformance-vectors corpus rfc9421_proxy_chain_v0 -- byte-level reference digests for a two-hop proxy chain.

Sibling to PR #269 (Compliance Receipt), PR #270 (Payment Lifecycle), PR #271 (Settlement Attestation), PR #272 (Trust Query). AlgoVoi is sole author of this binding; RFC 9421 and RFC 9530 are independent IETF publications.

---

AlgoVoi (chopmob-cloud) -- Acquisition enquiries: https://docs.algovoi.co.uk/acquisition

[gemini-code-assist]

Code Review

This pull request introduces a new documentation file, docs/ap2/http_message_signing.md, which details the HTTP Message Signing specification for AP2 payment flows. The review feedback suggests minor improvements to formatting and grammar, specifically adding a comma after "e.g." and formatting the parameter keyid in backticks for consistency.