feat(auth): initial implementation — authmw and rbac (v1.0.0)

Introduces code.nochebuena.dev/einherjar/auth — the provider-agnostic HTTP
authentication and authorization layer of the Einherjar framework. Absorbs
two micro-lib packages (httpauth, rbac) as sub-packages, replacing the
Identity-only context model with a SecurityBag-native design and adding a
composable enrichment chain.

authmw:
- BagEnricher function type — enriches the request-scoped SecurityBag after
  the base Identity is built; registered via WithBagEnricher; multiple
  enrichers run in order, each receiving the bag from the previous
- IdentityEnricher interface — application-layer contract for loading user
  data from uid+claims
- EnrichmentMiddleware — builds SecurityBag from uid+claims, runs enricher
  chain, stores via security.SetBagInContext; 401 on missing uid, 500 on
  enricher error; routes all errors through httputil.Error
- AuthzMiddleware — per-route permission gate; 401 on missing identity,
  403 on provider error (fail-closed) or insufficient permissions
- EnrichOpt type + WithTenantHeader (reads TenantID from header, implemented
  as a BagEnricher) + WithBagEnricher (registers custom enrichers for
  hardware IDs, grant codes, or any bag attribute)
- SetTokenData / GetClaims — integration contract for auth-jwt / auth-firebase

rbac:
- NewClaimsPermissionProvider — reads flat JWT claim bitmasks from context;
  wildcard "*" fallback; handles int64/float64/json.Number; zero DB calls
- NewCachedPermissionProvider — TTL cache wrapping any PermissionProvider;
  default key "rbac:{uid}:{resource}" or "rbac:{tenantID}:{uid}:{resource}";
  TenantID sourced from SecurityBag automatically; accepts ...CachedOpt
- CachedOpt type + WithCacheKey — overrides the key function for extra
  dimensions (hardware IDs, grant codes read from bag attributes)
- NewChainPermissionProvider — tries providers in order; first non-zero wins;
  errors short-circuit; typical pattern: claims → cached DB fallback
- Cache interface — pluggable backend satisfied by cache-valkey via duck typing

Compliance test (package auth_test) enforces CT-6 (≤1 exported TypeSpec/file),
compile-time interface satisfaction, and behavioural coverage across the full
middleware and provider surface: enrichment success/failure, tenant header,
custom BagEnricher, bag-in-context, authz allowed/denied/error, claims
hit/wildcard/missing/float64, cached hit/miss/error/tenant-key/custom-key,
chain first-non-zero/fallthrough/error.

Depends on contracts v1.0.0, core v1.0.0, web v1.0.0.

- identifiable.go: package-level Module variable (observability.Identifiable) for version
  identification — auth is middleware-only; not registered with the launcher

rbac/chain_provider.go

@@ -0,0 +1,39 @@
+package rbac
+
+import (
+	"context"
+
+	"code.nochebuena.dev/einherjar/contracts/security"
+)
+
+var _ security.PermissionProvider = (*chainPermissionProvider)(nil)
+
+type chainPermissionProvider struct {
+	providers []security.PermissionProvider
+}
+
+// NewChainPermissionProvider tries providers in order, returning the first non-zero mask.
+// Errors short-circuit the chain immediately.
+//
+// Typical pattern: JWT claims fast-path → cached DB fallback:
+//
+//	rbac.NewChainPermissionProvider(
+//	    rbac.NewClaimsPermissionProvider("perms"),
+//	    rbac.NewCachedPermissionProvider(dbProvider, cache, 5*time.Minute),
+//	)
+func NewChainPermissionProvider(providers ...security.PermissionProvider) security.PermissionProvider {
+	return &chainPermissionProvider{providers: providers}
+}
+
+func (c *chainPermissionProvider) ResolveMask(ctx context.Context, uid, resource string) (security.PermissionMask, error) {
+	for _, p := range c.providers {
+		mask, err := p.ResolveMask(ctx, uid, resource)
+		if err != nil {
+			return 0, err
+		}
+		if mask != 0 {
+			return mask, nil
+		}
+	}
+	return 0, nil
+}