feat: wire TLS negotiation into NatsServer accept loop

Integrate TLS support into the server's connection accept path:
- Add SslServerAuthenticationOptions and TlsRateLimiter fields to NatsServer
- Extract AcceptClientAsync method for TLS negotiation, rate limiting, and
  TLS state extraction (protocol version, cipher suite, peer certificate)
- Add InfoAlreadySent flag to NatsClient to skip redundant INFO when
  TlsConnectionWrapper already sent it during negotiation
- Add TlsServerTests verifying TLS connect+INFO and TLS pub/sub

src/NATS.Server/NatsClient.cs

@@ -57,6 +57,7 @@ public sealed class NatsClient : IDisposable
     private long _lastIn;
 
     public TlsConnectionState? TlsState { get; set; }
+    public bool InfoAlreadySent { get; set; }
 
     public IReadOnlyDictionary<string, Subscription> Subscriptions => _subs;
 
@@ -87,8 +88,9 @@ public sealed class NatsClient : IDisposable
         var pipe = new Pipe();
         try
         {
-            // Send INFO
-            await SendInfoAsync(_clientCts.Token);
+            // Send INFO (skip if already sent during TLS negotiation)
+            if (!InfoAlreadySent)
+                await SendInfoAsync(_clientCts.Token);
 
             // Start read pump, command processing, and ping timer in parallel
             var fillTask = FillPipeAsync(pipe.Writer, _clientCts.Token);