feat: add PermissionLruCache (128-entry LRU) and wire into ClientPermissions

src/NATS.Server/Auth/ClientPermissions.cs

@@ -1,4 +1,3 @@
-using System.Collections.Concurrent;
 using NATS.Server.Subscriptions;
 
 namespace NATS.Server.Auth;
@@ -7,7 +6,7 @@ public sealed class ClientPermissions : IDisposable
 {
     private readonly PermissionSet? _publish;
     private readonly PermissionSet? _subscribe;
-    private readonly ConcurrentDictionary<string, bool> _pubCache = new(StringComparer.Ordinal);
+    private readonly PermissionLruCache _pubCache = new(128);
 
     private ClientPermissions(PermissionSet? publish, PermissionSet? subscribe)
     {
@@ -34,7 +33,12 @@ public sealed class ClientPermissions : IDisposable
         if (_publish == null)
             return true;
 
-        return _pubCache.GetOrAdd(subject, _publish.IsAllowed);
+        if (_pubCache.TryGet(subject, out var cached))
+            return cached;
+
+        var allowed = _publish.IsAllowed(subject);
+        _pubCache.Set(subject, allowed);
+        return allowed;
     }
 
     public bool IsSubscribeAllowed(string subject, string? queue = null)