Add auth package: MCIAS token validation with caching

- Authenticator with Login, ValidateToken, Logout
- 30-second SHA-256-keyed cache with lazy eviction
- TLS 1.3, custom CA support, service context (name + tags)
- Error types: ErrInvalidToken, ErrInvalidCredentials,
  ErrForbidden, ErrUnavailable
- Context helpers for TokenInfo propagation
- 14 tests with mock MCIAS server and injectable clock

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

auth/context.go

@@ -0,0 +1,19 @@
+package auth
+
+import "context"
+
+// contextKey is an unexported type used as the context key for TokenInfo,
+// preventing collisions with keys from other packages.
+type contextKey struct{}
+
+// ContextWithTokenInfo returns a new context carrying the given TokenInfo.
+func ContextWithTokenInfo(ctx context.Context, info *TokenInfo) context.Context {
+	return context.WithValue(ctx, contextKey{}, info)
+}
+
+// TokenInfoFromContext extracts TokenInfo from the context. It returns nil
+// if no TokenInfo is present.
+func TokenInfoFromContext(ctx context.Context) *TokenInfo {
+	info, _ := ctx.Value(contextKey{}).(*TokenInfo)
+	return info
+}