Add Nix flake for mcproxyctl

Vendor dependencies and expose mcproxyctl binary via nix build.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

vendor/git.wntrmute.dev/kyle/mcdsl/auth/cache.go

@@ -0,0 +1,71 @@
+package auth
+
+import (
+	"sync"
+	"time"
+)
+
+// cacheEntry holds a cached TokenInfo and its expiration time.
+type cacheEntry struct {
+	info      *TokenInfo
+	expiresAt time.Time
+}
+
+// validationCache provides a concurrency-safe, TTL-based cache for token
+// validation results. Tokens are keyed by their SHA-256 hex digest.
+type validationCache struct {
+	mu      sync.RWMutex
+	entries map[string]cacheEntry
+	ttl     time.Duration
+	now     func() time.Time // injectable clock for testing
+}
+
+// newCache creates a validationCache with the given TTL.
+func newCache(ttl time.Duration) *validationCache {
+	return &validationCache{
+		entries: make(map[string]cacheEntry),
+		ttl:     ttl,
+		now:     time.Now,
+	}
+}
+
+// get returns cached TokenInfo for the given token hash, or false if
+// the entry is missing or expired. Expired entries are lazily evicted.
+func (c *validationCache) get(tokenHash string) (*TokenInfo, bool) {
+	c.mu.RLock()
+	entry, ok := c.entries[tokenHash]
+	c.mu.RUnlock()
+
+	if !ok {
+		return nil, false
+	}
+
+	if c.now().After(entry.expiresAt) {
+		// Lazy evict the expired entry.
+		c.mu.Lock()
+		if e, exists := c.entries[tokenHash]; exists && c.now().After(e.expiresAt) {
+			delete(c.entries, tokenHash)
+		}
+		c.mu.Unlock()
+		return nil, false
+	}
+
+	return entry.info, true
+}
+
+// clear removes all entries from the cache.
+func (c *validationCache) clear() {
+	c.mu.Lock()
+	c.entries = make(map[string]cacheEntry)
+	c.mu.Unlock()
+}
+
+// put stores TokenInfo in the cache with an expiration of now + TTL.
+func (c *validationCache) put(tokenHash string, info *TokenInfo) {
+	c.mu.Lock()
+	c.entries[tokenHash] = cacheEntry{
+		info:      info,
+		expiresAt: c.now().Add(c.ttl),
+	}
+	c.mu.Unlock()
+}