tighten internal-entity topic protection and drop dead pub api

[fabracht]

Summary

Closes #41. The issue body claimed the four AdminRequired entries ($DB/_admin/#, $DB/_oauth_tokens/#, $DB/_identities/#, $DB/_identity_links/#) were redundant with Layer 2's is_internal_entity_topic default-deny and that BlockReason was "only logged, never pattern-matched" — that second half is wrong. topic_protection.rs:102-115, 150-163 matches on BlockReason::AdminRequired to fall through to the inner ACL check; any other BlockReason short-circuits to false. So those four entries were not cosmetic: they enabled non-admins with explicit ACL grants to publish/subscribe on those topics.

For _admin, _oauth_tokens, _identities, _identity_links the ACL-grant escape hatch isn't desirable — these are admin-only by intent. This PR removes the four entries so they fall through to Layer 2 and return InternalEntityAccess, which short-circuits without an ACL fallback. Result: non-admins are now strictly blocked regardless of ACL grants. Admins still pass through both layers as before.

$DB/_verify/# stays in PROTECTED_TOPICS because _verify is on Layer 2's allowlist; without the explicit rule it would fall through to Ok(()).

Also removes check_entity_access and is_internal_entity from the public API — both had zero external callers.

Test plan

• cargo make clippy — clean (pedantic, all targets + wasm)
• cargo test -p mqdb-agent --lib topic_rules — 22/22 pass, including updated assertions for the four affected topics (now InternalEntityAccess) and admin-allowed paths unchanged
• Pre-commit hook (format-check + clippy) passed on the commit