feat: add validateAccessJwt to cloudflare:workers

Adds a new validateAccessJwt() function that validates Cloudflare Access
JWTs against team-specific JWKs. The function throws AccessJwtError with
specific error codes on validation failure, making error handling explicit.

Key features:
- No external dependencies (uses WebCrypto APIs)
- Retry logic for JWKS fetch (3 attempts, 5s backoff on 5xx)
- Isolate-level JWKS caching (1 hour TTL)
- Team domain normalization (accepts both short and full forms)
- 60s clock skew tolerance for expiration

Author: elithrar