Add AccountType to TokenInfo

- TokenInfo now includes AccountType ("human" or "system") from the
  MCIAS validate response
- Required for policy engines (MCR, Metacrypt) that match on account type
- Mock MCIAS in tests updated to return account_type
- New assertion in TestValidateToken verifies AccountType is populated

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

auth/auth.go

@@ -73,6 +73,11 @@ type TokenInfo struct {
 	// Username is the MCIAS username (the "sub" claim).
 	Username string
 
+	// AccountType is the MCIAS account type: "human" or "system".
+	// Used by policy engines that need to distinguish interactive users
+	// from service accounts.
+	AccountType string
+
 	// Roles is the set of MCIAS roles assigned to the account.
 	Roles []string
 
@@ -193,10 +198,11 @@ func (a *Authenticator) ValidateToken(token string) (*TokenInfo, error) {
 	}
 
 	var resp struct {
-		Valid    bool     `json:"valid"`
-		Sub      string   `json:"sub"`
-		Username string   `json:"username"`
-		Roles    []string `json:"roles"`
+		Valid       bool     `json:"valid"`
+		Sub         string   `json:"sub"`
+		Username    string   `json:"username"`
+		AccountType string   `json:"account_type"`
+		Roles       []string `json:"roles"`
 	}
 	status, err := a.doJSON(http.MethodPost, "/v1/token/validate",
 		map[string]string{"token": token}, &resp)
@@ -209,9 +215,10 @@ func (a *Authenticator) ValidateToken(token string) (*TokenInfo, error) {
 	}
 
 	info := &TokenInfo{
-		Username: resp.Username,
-		Roles:    resp.Roles,
-		IsAdmin:  hasRole(resp.Roles, "admin"),
+		Username:    resp.Username,
+		AccountType: resp.AccountType,
+		Roles:       resp.Roles,
+		IsAdmin:     hasRole(resp.Roles, "admin"),
 	}
 	if info.Username == "" {
 		info.Username = resp.Sub