feat(compliance-controller): add configured Compliance API support

[geositta]

Explanation

This updates @metamask/compliance-controller so clients can pass an explicit Compliance API URL into ComplianceService, allowing Extension and Mobile to source the endpoint from build configuration instead of hardcoding environment switches in application code. If no apiUrl is provided, the service keeps env as a fallback and defaults to production.

This also moves the blocked-wallet lookup behavior into the shared controller package. Cached EVM wallet compliance statuses now exact-match first, then fall back to case-insensitive matching for valid 0x EVM addresses only; non-EVM addresses remain exact-match only. The package now also exports selectAreAnyWalletsBlocked so clients can share the same selector behavior.

References

Related to Extension and Mobile compliance controller integration work. Client adoption can follow after this package change is released and consumed.

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

---

Note

Medium Risk
Changes request routing for the compliance API by allowing a configurable base URL and tweaks cached compliance lookups to fall back on case-insensitive matching for EVM addresses, which could affect network calls and blocked-status results if misconfigured.

Overview
Adds ComplianceServiceOptions.apiUrl to allow callers to provide an explicit Compliance API base URL (defaulting env to production when unset), including validation (no query/fragment) and correct URL joining that preserves path components.

Fixes cached blocked-wallet lookups to be casing-tolerant for valid 0x EVM addresses via shared getWalletComplianceStatus, and introduces/export selectAreAnyWalletsBlocked alongside the updated selectIsWalletBlocked.

Updates README/changelog and expands unit coverage for the new URL behavior and EVM-case-insensitive cache fallback in both controller actions and selectors.

^{Reviewed by Cursor Bugbot for commit ce4d3bf. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1c7c513. Configure here.}

[abretonc7s]

Is there a matching mobile PR? It should be split the compliance controller only on this PR. And separately sync mobile