feat(contracts): initial implementation (v1.0.0)

Introduces code.nochebuena.dev/einherjar/contracts — the zero-dependency
foundation of the Einherjar framework. Defines the interfaces and minimal
types consumed by every starter. Zero external dependencies. Zero Einherjar
dependencies. Nothing is above it in the dependency graph.

lifecycle:
- Component — OnInit, OnStart, OnStop three-phase lifecycle hooks

observability:
- Level (LevelCritical=0, LevelDegraded); zero value is the safe default
- Checkable — HealthCheck, Name, Priority
- Identifiable — ModulePath, ModuleVersion; implemented by all starters to
  surface module identity and version in the startup banner

logging:
- Logger — Debug, Info, Warn, Error, With, WithContext

errs:
- CodedError — ErrorCode() string; satisfied by core/xerrors.Err
- ContextualError — ErrorContext() map[string]any; satisfied by core/xerrors.Err

security:
- Identity value type — UID, TenantID, DisplayName, Email; NewIdentity, WithTenant
- Permission (int64), MaxPermission=62, PermissionMask — Has, Grant
- PermissionProvider — ResolveMask(ctx, uid, resource) (PermissionMask, error)
- SecurityBag value type — immutable request-scoped security context; carries
  Identity and arbitrary typed attributes (hardware IDs, grant codes, etc.);
  With copies the attribute map on every call to preserve receiver-invariant behaviour
- NewSecurityBag, Identity, WithIdentity, Get, With
- SetBagInContext / BagFromContext — full bag context storage
- SetInContext / FromContext — backed by SecurityBag; all four cross-function
  combinations (SetInContext+BagFromContext, SetBagInContext+FromContext) are valid

One file per type; CT-6 enforced by compliance test AST walk.

observability/checkable.go

@@ -0,0 +1,17 @@
+package observability
+
+import "context"
+
+// Checkable is the interface implemented by infrastructure components that report
+// their health status to a health handler. Pass Checkable components to the web
+// starter's health handler — the handler calls each concurrently with a deadline.
+type Checkable interface {
+	// HealthCheck performs a connectivity or liveness probe for the component.
+	// Returns nil when the component is healthy, a non-nil error otherwise.
+	// Implementations must respect ctx cancellation and return promptly on timeout.
+	HealthCheck(ctx context.Context) error
+	// Name returns the component's display name used in health check responses.
+	Name() string
+	// Priority returns the criticality level of this component.
+	Priority() Level
+}

observability/doc.go

@@ -0,0 +1,3 @@
+// Package observability defines the Checkable interface for infrastructure health
+// reporting and the Level type that classifies component criticality.
+package observability

observability/identifiable.go

@@ -0,0 +1,14 @@
+package observability
+
+// Identifiable is implemented by infrastructure components that can report their
+// module identity — the import path and released version.
+// The launcher reads this interface from all registered components to print
+// the loaded-module list after the startup banner.
+type Identifiable interface {
+	// ModulePath returns the fully-qualified Go module import path.
+	// Example: "code.nochebuena.dev/einherjar/web"
+	ModulePath() string
+	// ModuleVersion returns the version this module was compiled at.
+	// Returns "(devel)" when the binary was built from a local workspace.
+	ModuleVersion() string
+}

observability/level.go

@@ -0,0 +1,15 @@
+package observability
+
+// Level classifies the criticality of a component to the overall application health.
+// The zero value is LevelCritical — a safe default that treats unknown components
+// as essential.
+type Level int
+
+const (
+	// LevelCritical marks a component essential for application function.
+	// A failing critical component sets the overall health status to DOWN (HTTP 503).
+	LevelCritical Level = iota
+	// LevelDegraded marks a component that is important but not essential.
+	// A failing degraded component sets the overall status to DEGRADED (HTTP 200).
+	LevelDegraded
+)