// Package authjwt provides JWT authentication middleware and token lifecycle
// management for the Einherjar framework. It supports HMAC-SHA256 (HS256),
// RSA-SHA256 (RS256), and ECDSA (ES256/ES384/ES512).
//
// # Typical wiring
//
//	signer := authjwt.NewHMACSigner([]byte(os.Getenv("JWT_SECRET")))
//	cfg := authjwt.TokenConfig{
//	    AccessTTL:  15 * time.Minute,
//	    RefreshTTL: 7 * 24 * time.Hour,
//	    Issuer:     "myapp",
//	}
//
//	// Verify Bearer tokens and inject uid+claims into context.
//	srv.Use(authjwt.AuthMiddleware(logger, signer, []string{"/health", "/auth/*"}))
//
//	// Enrichment and authz from auth/authmw follow downstream.
//	srv.Use(authmw.EnrichmentMiddleware(logger, userEnricher))
//
//	// Issue tokens on login:
//	pair, err := authjwt.IssueTokenPair(signer, uid, customClaims, cfg)
//
//	// Rotate tokens on refresh:
//	newPair, err := authjwt.RefreshTokenPair(ctx, signer, body.RefreshToken, blacklist, cfg, freshClaims)
//	if errors.Is(err, authjwt.ErrTokenRevoked) {
//	    // replay attack — force re-login
//	}
package authjwt