feat(httpauth-jwt): initial release — self-issued JWT auth middleware v1.0.0

Provides AuthMiddleware (calls httpauth.SetTokenData, accepts Verifier or Signer),
IssueTokenPair (access + refresh tokens as jwt.MapClaims, custom claims at top
level for ClaimsPermissionProvider compatibility), RefreshTokenPair (blacklist
check + rotation + re-issue), and Signer/Verifier implementations for HMAC-SHA256
and RSA-SHA256 including PEM loaders and a public-key-only Verifier for read-only
microservices.

doc.go

@@ -0,0 +1,26 @@
+// Package jwtauth provides self-issued JWT authentication middleware and token
+// management for HTTP services.
+//
+// It integrates with code.nochebuena.dev/go/httpauth: AuthMiddleware verifies
+// Bearer tokens and calls httpauth.SetTokenData, making uid and claims available
+// to EnrichmentMiddleware, AuthzMiddleware, and ClaimsPermissionProvider.
+//
+// Typical flow:
+//
+//  1. Issue a token pair on login:
+//
+//     signer := jwtauth.NewHMACSigner([]byte(os.Getenv("JWT_SECRET")))
+//     pair, err := jwtauth.IssueTokenPair(signer, uid, customClaims, cfg)
+//
+//  2. Protect routes:
+//
+//     r.Use(jwtauth.AuthMiddleware(signer, publicPaths))
+//     r.Use(httpauth.EnrichmentMiddleware(myEnricher))
+//
+//  3. Rotate tokens on refresh:
+//
+//     newPair, err := jwtauth.RefreshTokenPair(ctx, signer, refreshToken, blacklist, cfg, freshClaims)
+//
+// For microservices that only verify tokens (not issue them), use NewRSAPublicKeyVerifier
+// or NewRSAPublicKeyVerifierFromPEM with the public key only.
+package jwtauth