feat(cache-valkey): initial implementation — Provider, adapters (v1.0.0)

Introduces code.nochebuena.dev/einherjar/cache-valkey — the Valkey cache starter
for the Einherjar framework. Absorbs the valkey package from micro-lib and adds
three duck-typed adapters that wire directly into auth, web, and auth-jwt.

Core:
- Provider interface — Get, Set, Del, Exists, Expire, IncrWithTTL, Native()
- Component interface — lifecycle.Component + observability.Checkable + Provider
- Config struct (EINHERJAR_VALKEY_* env vars)
- New(logger, cfg) Component — creates valkey-go client in OnInit;
  PING in OnStart; logs "valkey: connected"
- IncrWithTTL implemented with Lua script (atomic INCR + conditional EXPIRE);
  race-free fixed-window semantics with no MULTI/EXEC overhead
- Priority: LevelDegraded — Valkey outage degrades, does not halt the service

Adapters (duck-typed — no import of auth, web, or auth-jwt):
- PermissionCache — Get/Set int64 bitmasks as string; satisfies auth/rbac.Cache
- RateLimiterStore — fixed-window via IncrWithTTL; satisfies web/mw.RateLimiterStore
- Blacklist — Exists/Set "1" with TTL; satisfies auth-jwt.Blacklist

Compliance test verifies CT-6, duck-type shape assignments, and full adapter
behavioural coverage with a mockProvider (no live server required).

- Component interface embeds observability.Identifiable; identifiable.go implements
  ModulePath and ModuleVersion via runtime/debug.ReadBuildInfo() — prints in launcher banner

.gitea/pull_request_template.md

@@ -0,0 +1,70 @@
+## Summary
+
+<!-- One or two sentences: what does this PR do and why? -->
+
+---
+
+## Type of change
+
+- [ ] Bug fix — non-breaking change that resolves an issue
+- [ ] New feature — non-breaking addition of functionality
+- [ ] Breaking change — alters existing behavior or public API
+- [ ] Documentation update
+- [ ] Refactor — no functional change, no new API surface
+- [ ] Test improvement
+
+---
+
+## Description
+
+<!--
+Provide enough context for a reviewer who was not in the room:
+- What problem does this solve?
+- What approach did you choose, and why?
+- Were there alternatives you considered and rejected?
+- Any known limitations or follow-up work?
+-->
+
+---
+
+## Testing
+
+- [ ] I added or updated tests that cover my changes
+- [ ] All tests pass locally — `go test ./...`
+- [ ] No formatting issues — `gofmt -l .` produces no output
+- [ ] No vet warnings — `go vet ./...` is clean
+
+---
+
+## Checklist
+
+- [ ] At most one exported type per non-test `.go` file (CT-6)
+- [ ] No new external dependencies added without prior discussion in an issue
+- [ ] Public API changes are reflected in `CHANGELOG.md`
+- [ ] Breaking changes include a migration note in the PR description above
+
+---
+
+## Contributor License Agreement
+
+> **This PR will not be merged until the CLA comment is present.**
+
+Before a Maintainer reviews your code, you must post the following text **as a comment on this PR** — not here in the description. PR description checkboxes can be silently toggled by anyone; a comment is a timestamped, author-attributed record that cannot be quietly removed.
+
+**Copy and post this exact text as a PR comment:**
+
+---
+
+> I have read the Einherjar Contributor License Agreement (CLA.md) and I agree to all its terms.
+> I confirm this Contribution is my original work. I grant the Maintainers the rights described
+> therein, including the right to relicense, and I retain ownership of my copyright.
+> This agreement covers all future Contributions I submit to any Einherjar repository under
+> this account.
+
+---
+
+First time contributing? Read [CLA.md](../CLA.md) for the full agreement before posting the comment.
+
+If you are contributing on behalf of a company, an authorized representative of that company must post the comment.
+
+<!-- Thank you for contributing to Einherjar. For those who come after. -->