Geolocation: add location and timing fields to signed TWAMP replies for paired probing

[ben-dz]

Resolves: #3190

Summary of Changes

• Extend the signed TWAMP reply packet with five new fields (MeasurementSlot, Lat, Lng, SinceLastRxNs, RttNs) and embed DZD LocationOffset blobs, enabling inbound geolocation probing for TEE-based targets that cannot measure time
• Implement paired probing in the target-sender: two probes sent back-to-back let the reflector compute the inter-arrival delta (SinceLastRxNs) as a proxy RTT
• Add IP-binding for probe pairs on the reflector — both probes in a pair must originate from the same source IP, preventing cross-sender interference
• Add pair-based rate limiting (2 probes per window per sender pubkey) to bound reply throughput
• Add ParseOffsetInfo to extract location/timing data from Borsh-encoded LocationOffset blobs without importing the full geoprobe package
• Re-add probe signature verification logging in the target-sender for defense-in-depth audit trails
• Update RFC16 to document the paired-probing inbound measurement flow (steps 5–9)

Related: RFC16 — Geolocation Verification

Diff Breakdown

Category	Files	Lines (+/-)	Net
Core logic	4	+319 / -146	+173
Tests	3	+321 / -57	+264
Docs	1	+36 / -19	+17
Config/build	1	+1 / -1	0

~60% of the diff is test coverage; core logic is concentrated in 4 files.

Key files (click to expand)

• controlplane/telemetry/cmd/geoprobe-target-sender/main.go — Rewrite probe loop to send paired probes; add probe signature verification logging; add --format flag for text/JSON output with new location and timing fields
• tools/twamp/pkg/signed/reflector_linux.go — Add pairSourceIP IP-binding, pair-based rate limiting, SinceLastRxNs inter-arrival timing, and LocationOffset embedding in replies
• tools/twamp/pkg/signed/packet.go — Extend ReplyPacket with five new signed fields; add ParseOffsetInfo for Borsh-encoded offset extraction
• tools/twamp/pkg/signed/reflector_test.go — Add tests for IP-binding rejection, corrupted second-probe signature rejection, and pair-based rate limiting
• tools/twamp/pkg/signed/packet_test.go — Add tests for new reply fields, ParseOffsetInfo, byte layout, and tamper detection
• controlplane/telemetry/cmd/geoprobe-target-sender/main_test.go — Update test fixtures for new paired-probe output fields
• rfcs/rfc16-geolocation-verification.md — Document inbound paired-probing flow and updated reply packet format

Testing Verification

• All tools/twamp/pkg/signed/... tests pass (38 tests), including new tests for IP-binding rejection, second-probe signature rejection, pair-based rate limiting with SinceLastRxNs assertions, and ParseOffsetInfo field-skip validation
• All controlplane/telemetry/cmd/geoprobe-target-sender/... tests pass with updated paired-probe output format
• geoprobe-agent binary builds cleanly
• Manual end-to-end testing with deployed geoprobe-agent and target-sender binaries