Add proof-measure client (public securedBy / measured-immutability service)

proof-measure is a separate, public, unauthenticated Dragonchain service. Adds:
- client.UnauthenticatedClient: HMAC-free transport mirroring Client's
  marshal/decode/error handling.
- proofmeasure.ProofMeasureClient: GetSecurity / Report / Health, default base
  URL https://proof-measure.dragonchain.com; standalone + a DragonchainSDK.ProofMeasure handle.
- models for SecurityResult/RawMeasure/ReportRequest/TransactionReport/etc
  (decimals as strings, timestamps int64).
- httptest unit tests.

client/unauthenticated.go

@@ -0,0 +1,103 @@
+package client
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// UnauthenticatedClient is a minimal HTTP client for public Dragonchain services
+// that require no HMAC credentials (e.g. the proof-measure service). It mirrors
+// Client's body marshaling, status handling, and response decoding, but sends no
+// Authorization/Dragonchain/Timestamp headers.
+type UnauthenticatedClient struct {
+	baseURL    string
+	httpClient *http.Client
+}
+
+// NewUnauthenticatedClient builds an UnauthenticatedClient with the default
+// HTTP client (30s timeout).
+func NewUnauthenticatedClient(baseURL string) *UnauthenticatedClient {
+	return NewUnauthenticatedClientWithHTTPClient(baseURL, nil)
+}
+
+// NewUnauthenticatedClientWithHTTPClient is like NewUnauthenticatedClient but
+// routes requests through the caller-supplied *http.Client (e.g. an SSRF-guarded
+// transport). A nil hc falls back to the package default.
+func NewUnauthenticatedClientWithHTTPClient(baseURL string, hc *http.Client) *UnauthenticatedClient {
+	if hc == nil {
+		hc = &http.Client{Timeout: 30 * time.Second}
+	}
+	return &UnauthenticatedClient{
+		baseURL:    strings.TrimSuffix(baseURL, "/"),
+		httpClient: hc,
+	}
+}
+
+// Endpoint returns the configured base URL.
+func (c *UnauthenticatedClient) Endpoint() string { return c.baseURL }
+
+func (c *UnauthenticatedClient) doRequest(ctx context.Context, method, path, contentType string, body any, response any) error {
+	var bodyBytes []byte
+	var err error
+
+	if body != nil {
+		if b, ok := body.([]byte); ok {
+			bodyBytes = b
+		} else {
+			bodyBytes, err = json.Marshal(body)
+			if err != nil {
+				return fmt.Errorf("failed to marshal request body: %w", err)
+			}
+			contentType = "application/json"
+		}
+	}
+
+	fullURL := c.baseURL + path
+	req, err := http.NewRequestWithContext(ctx, method, fullURL, bytes.NewBuffer(bodyBytes))
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+	if contentType != "" {
+		req.Header.Set("Content-Type", contentType)
+	}
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	if resp.StatusCode >= 400 {
+		return fmt.Errorf("API error (status %d): %s", resp.StatusCode, strings.TrimSpace(string(respBody)))
+	}
+
+	if response != nil && len(respBody) > 0 {
+		if err := json.Unmarshal(respBody, response); err != nil {
+			return fmt.Errorf("failed to unmarshal response: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// Get performs an unauthenticated GET and decodes the JSON response.
+func (c *UnauthenticatedClient) Get(ctx context.Context, path string, response any) error {
+	return c.doRequest(ctx, http.MethodGet, path, "", nil, response)
+}
+
+// Post performs an unauthenticated POST and decodes the JSON response.
+func (c *UnauthenticatedClient) Post(ctx context.Context, path, contentType string, body any, response any) error {
+	return c.doRequest(ctx, http.MethodPost, path, contentType, body, response)
+}