mailroom: add `Cache-Control` to 404 responses for non-opt-in gateways

[va-an]

payjoin-mailroom/src/ohttp_relay/mod.rs has a TODO:

    if policy.bip77_allowed {
        Ok(gateway_uri)
    } else {
        // TODO Cache-Control header for error based on policy.expires
        // is not found the right error? maybe forbidden or bad gateway?
        // prober policy judgement can be an enum instead of a bool to
        // distinguish 4xx vs. 5xx failures, 4xx being an explicit opt out and
        // 5xx for IO errors etc
        Err(Error::NotFound)
    }

Scope

1. Add Error::NotOptedIn(Duration).
2. In to_response, map it to 404 with Cache-Control: max-age=<seconds>.
3. At the relay opt-in check call site, pass policy.expires.saturating_duration_since(Instant::now()).

Out of scope

• Changing the status code (TODO speculates 403/502, separate question).
• Replacing bip77_allowed: bool with an enum to distinguish 4xx vs 5xx (separate refactor).

Happy to take this on if the approach looks good.