Guard MPP signer selection by key_type

[jschnelder]

Motivation

keys.toml already supports multiple key_type values (secp256k1 / p256 / webauthn), but the MPP path was not using key_type in signer selection:

• discover_mpp_config selected entries by priority/inline key only.
• LazySessionProvider always built mpp::PrivateKeySigner (secp256k1 path).

This could select an incompatible key entry and fail at runtime, creating a config-vs-execution mismatch in MPP signing behavior.

Solution

This PR makes the signer decision chain explicitly key_type-aware with minimal scope:

• Add compatibility helpers in tempo keystore:
  • KeyType::supports_private_key_signer()
  • KeyEntry::has_compatible_inline_key()
• Update MPP key discovery to:
  • filter candidates to signer-compatible key types
  • keep existing priority rules within compatible candidates
  • carry key_type in MppKeyConfig metadata
• Add a transport guard before signer init:
  • return a clear error for unsupported key types instead of failing later in parse/sign flow
• Add tests for:
  • preferring compatible secp256k1 when mixed key types exist
  • returning None when only incompatible key types are present

This keeps current secp256k1 signer behavior, but removes ambiguous/incompatible key selection paths.

PR Checklist

• Added Tests
• Added Documentation
• Breaking changes