Add AccountType to TokenInfo

- TokenInfo now includes AccountType ("human" or "system") from the
  MCIAS validate response
- Required for policy engines (MCR, Metacrypt) that match on account type
- Mock MCIAS in tests updated to return account_type
- New assertion in TestValidateToken verifies AccountType is populated

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

auth/auth_test.go

@@ -54,18 +54,20 @@ func mockMCIAS(t *testing.T) *httptest.Server {
 		case "tok-admin-123":
 			w.Header().Set("Content-Type", "application/json")
 			_ = json.NewEncoder(w).Encode(map[string]interface{}{
-				"valid":    true,
-				"sub":      "uuid-admin",
-				"username": "admin",
-				"roles":    []string{"admin", "user"},
+				"valid":        true,
+				"sub":          "uuid-admin",
+				"username":     "admin",
+				"account_type": "human",
+				"roles":        []string{"admin", "user"},
 			})
 		case "tok-user-456":
 			w.Header().Set("Content-Type", "application/json")
 			_ = json.NewEncoder(w).Encode(map[string]interface{}{
-				"valid":    true,
-				"sub":      "uuid-user",
-				"username": "alice",
-				"roles":    []string{"user"},
+				"valid":        true,
+				"sub":          "uuid-user",
+				"username":     "alice",
+				"account_type": "human",
+				"roles":        []string{"user"},
 			})
 		case "tok-expired":
 			w.Header().Set("Content-Type", "application/json")
@@ -154,6 +156,9 @@ func TestValidateToken(t *testing.T) {
 	if info.Username != "admin" {
 		t.Fatalf("Username = %q, want %q", info.Username, "admin")
 	}
+	if info.AccountType != "human" {
+		t.Fatalf("AccountType = %q, want %q", info.AccountType, "human")
+	}
 	if !info.IsAdmin {
 		t.Fatal("IsAdmin = false, want true")
 	}