// Package httpauthjwt provides self-issued JWT authentication middleware and token
// management for HTTP services.
//
// It integrates with code.nochebuena.dev/go/httpauth: AuthMiddleware verifies
// Bearer tokens and calls httpauth.SetTokenData, making uid and claims available
// to EnrichmentMiddleware, AuthzMiddleware, and ClaimsPermissionProvider.
//
// Typical flow:
//
//  1. Issue a token pair on login:
//
//     signer := httpauthjwt.NewHMACSigner([]byte(os.Getenv("JWT_SECRET")))
//     pair, err := httpauthjwt.IssueTokenPair(signer, uid, customClaims, cfg)
//
//  2. Protect routes:
//
//     r.Use(httpauthjwt.AuthMiddleware(signer, publicPaths))
//     r.Use(httpauth.EnrichmentMiddleware(myEnricher))
//
//  3. Rotate tokens on refresh:
//
//     newPair, err := httpauthjwt.RefreshTokenPair(ctx, signer, refreshToken, blacklist, cfg, freshClaims)
//
// For microservices that only verify tokens (not issue them), use NewRSAPublicKeyVerifier
// or NewRSAPublicKeyVerifierFromPEM with the public key only.
package httpauthjwt