feat(auth-jwt): initial implementation — JWT lifecycle and AuthMiddleware (v1.0.0)

Introduces code.nochebuena.dev/einherjar/auth-jwt — JWT authentication middleware
and token lifecycle management for the Einherjar framework. Absorbs httpauth-jwt
from micro-lib with three changes: logger parameter on AuthMiddleware, httputil.Error
for consistent 401 responses, and added ECDSA support.

Signers and Verifiers (one file per implementation — CT-6 compliant):
- Verifier interface — Verify(tokenString string) (*jwt.Token, error)
- Signer interface — extends Verifier; adds Sign(claims jwt.Claims) (string, error)
- signer_hmac.go — NewHMACSigner(secret) → HS256; jwt.WithJSONNumber() on Verify
- signer_rsa.go — NewRSASigner(key) + NewRSASignerFromPEM(pem) → RS256
- verifier_rsa.go — NewRSAPublicKeyVerifier + NewRSAPublicKeyVerifierFromPEM → RS256 verify-only
- signer_ec.go — NewECSigner(key) + NewECSignerFromPEM(pem) → ES256/384/512; algorithm
  auto-detected from key curve (P-256→ES256, P-384→ES384, P-521→ES512)
- verifier_ec.go — NewECPublicKeyVerifier + NewECPublicKeyVerifierFromPEM → EC verify-only

Token lifecycle:
- TokenConfig struct — AccessTTL, RefreshTTL, Issuer
- TokenPair struct — AccessToken, RefreshToken, ExpiresIn
- IssueTokenPair — access + refresh pair; customClaims merged at top level; refresh
  carries only sub/iss/iat/exp/jti/fam; jwt.WithJSONNumber() preserves int64 bitmasks
- Blacklist interface — IsRevoked + Revoke; satisfied by cache-valkey via duck typing
- ErrTokenRevoked — errors.New sentinel; errors.Is pattern for replay-attack detection
- RefreshTokenPair — verifies token, checks blacklist, revokes old JTI, issues new pair

HTTP middleware:
- AuthMiddleware(logger, verifier, publicPaths) — verifies Bearer tokens; calls
  authmw.SetTokenData on success; 401 routed through httputil.Error (Warn level);
  publicPaths use path.Match wildcards; accepts Verifier (not Signer) to enforce
  narrowest-interface principle for verify-only services

Compliance test (package authjwt_test) enforces CT-6 (≤1 exported TypeSpec/file),
compile-time interface satisfaction, and behavioural coverage: HMAC/RSA/EC sign+verify,
algorithm mismatch rejection, IssueTokenPair claims/jti/fam, RefreshTokenPair success/
revoked/blacklist-error/custom-claims, MaxInt64 json.Number precision, AuthMiddleware
valid/invalid/expired/missing/public-path/wildcard/JSON-body/RSA-verifier/SetTokenData.

Depends on auth v1.0.0, contracts v1.0.0, core v1.0.0, web v1.0.0, jwt/v5 v5.2.1.

- identifiable.go: package-level Module variable (observability.Identifiable) for version
  identification — auth-jwt is a function library; not registered with the launcher

auth.go

@@ -0,0 +1,76 @@
+package authjwt
+
+import (
+	"encoding/json"
+	"net/http"
+	"path"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+
+	"code.nochebuena.dev/einherjar/auth/authmw"
+	"code.nochebuena.dev/einherjar/contracts/logging"
+	"code.nochebuena.dev/einherjar/core/xerrors"
+)
+
+// AuthMiddleware verifies the Bearer access token and injects uid + claims into context
+// via authmw.SetTokenData. Downstream authmw.EnrichmentMiddleware reads them transparently.
+//
+// Accepts a Verifier — pass a Signer when the service issues tokens, or a
+// NewRSAPublicKeyVerifier/NewECPublicKeyVerifier when it only verifies.
+//
+// Requests to publicPaths are skipped without verification (path.Match wildcards supported).
+// Returns 401 on missing, invalid, or expired tokens.
+func AuthMiddleware(logger logging.Logger, verifier Verifier, publicPaths []string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			for _, pattern := range publicPaths {
+				if matched, _ := path.Match(pattern, r.URL.Path); matched {
+					next.ServeHTTP(w, r)
+					return
+				}
+			}
+
+			authHeader := r.Header.Get("Authorization")
+			if !strings.HasPrefix(authHeader, "Bearer ") {
+				writeUnauthorized(logger, w, r)
+				return
+			}
+			tokenStr := strings.TrimPrefix(authHeader, "Bearer ")
+
+			token, err := verifier.Verify(tokenStr)
+			if err != nil {
+				writeUnauthorized(logger, w, r)
+				return
+			}
+
+			claims, ok := token.Claims.(jwt.MapClaims)
+			if !ok {
+				writeUnauthorized(logger, w, r)
+				return
+			}
+
+			uid, _ := claims["sub"].(string)
+			if uid == "" {
+				writeUnauthorized(logger, w, r)
+				return
+			}
+
+			ctx := authmw.SetTokenData(r.Context(), uid, map[string]any(claims))
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+func writeUnauthorized(logger logging.Logger, w http.ResponseWriter, r *http.Request) {
+	logger.WithContext(r.Context()).Warn("auth-jwt: unauthorized",
+		"error_code", string(xerrors.ErrUnauthorized),
+		"status", http.StatusUnauthorized,
+	)
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusUnauthorized)
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"code":    string(xerrors.ErrUnauthorized),
+		"message": "unauthorized",
+	})
+}