TW-4830 Bound GPG keyserver lookups during public key discovery

[qasim-nylas]

Summary

• skip remote GPG lookup for reserved domains after checking the local keyring first
• add bounded per-keyserver timeouts to email and key ID fetch paths
• add regression coverage for the fast-fail not-found path

Problem

make ci-full could hang in TestFindPublicKeyByEmail_NotFound when FindPublicKeyByEmail fell through to:

gpg --auto-key-locate wkd,keyserver --keyserver pgp.mit.edu --locate-keys nonexistent@e8f9a2b1-c3d4-5e6f-7g8h-9i0j1k2l3m4n.test

For reserved or non-existent addresses, WKD fails quickly and dirmngr then attempts a public keyserver lookup. That remote lookup is not deterministic and can block long enough to stall full CI and local developer runs.

Root Cause

The not-found path had two gaps:

• reserved domains such as .test were treated like real public-key-discoverable addresses
• remote GPG keyserver fetches had no explicit timeout, so the command runtime depended on external keyserver behavior

Changes

• keep the existing local keyring lookup as the first step
• skip remote lookup entirely for reserved domains (.test, .example, .invalid, .localhost)
• apply a 5 second timeout to each remote keyserver attempt in both email-based lookup and direct key fetch paths
• run the not-found integration test with a short context timeout and add coverage for reserved-domain detection

Behavior Notes

• local public keys are still honored first
• real domains still use remote lookup when needed, but now fail fast instead of hanging indefinitely
• test-only domains no longer depend on external network services

Validation

• go test ./internal/adapters/gpg -v
• make ci-full

Jira

• TW-4830

[AaronDDM]

LGTM 👍