Introduce `tee-verifier` contract (stateless `dcap_qvl::verify` wrapper)

[pbeza]

Background

Today the MPC contract performs Intel TDX quote verification itself, which bakes a large cryptographic library — dcap-qvl and its ring / webpki / x509-cert dependencies — into its on-chain binary, bloating its size and forcing every other team that wants quote verification to bundle the same library.

This issue introduces a small, standalone verifier contract whose only job is to verify a quote and return the result. Moving that one step into its own contract lets the MPC contract (and anyone else) request verification over a cross-contract call instead of carrying dcap-qvl, and keeps the verifier independently auditable and upgradeable.

User Story

As an MPC contract maintainer, I want a dedicated, stateless verifier contract that performs quote verification, so the MPC contract can delegate that step instead of embedding the cryptographic library in its own binary.

Acceptance Criteria

• New crate tee-verifier under crates/.
• A single entry point that takes a quote and returns the verification result, using the shared types from Introduce tee-verifier-interface crate (Borsh wire DTOs) #3265.
• Stateless — the contract holds no on-chain state and behaves as a pure function of its inputs.
• Actual deployment of the contract is tracked separately; merging this work closes the issue.

Resources & Additional Notes

PR: #3237. Depends on #3265. Tracked by #3264.