Include account_type in token validation response

The /v1/token/validate endpoint now returns account_type ("human" or
"system") alongside username and roles. The account lookup was already
happening — this just surfaces the type in the response.

Required by downstream services (MCR, Metacrypt) whose policy engines
match on account type.

Security: no new data exposure — account_type is non-sensitive metadata
already available to any authenticated admin via GET /v1/accounts/{id}.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.junie/guidelines.md

@@ -1 +0,0 @@
-CLAUDE.md

internal/server/server.go

@@ -704,11 +704,12 @@ type validateRequest struct {
 }
 
 type validateResponse struct {
-	Subject   string   `json:"sub,omitempty"`
+	Subject     string   `json:"sub,omitempty"`
-	Username  string   `json:"username,omitempty"`
+	Username    string   `json:"username,omitempty"`
-	ExpiresAt string   `json:"expires_at,omitempty"`
+	AccountType string   `json:"account_type,omitempty"`
-	Roles     []string `json:"roles,omitempty"`
+	ExpiresAt   string   `json:"expires_at,omitempty"`
-	Valid     bool     `json:"valid"`
+	Roles       []string `json:"roles,omitempty"`
+	Valid       bool     `json:"valid"`
 }
 
 func (s *Server) handleTokenValidate(w http.ResponseWriter, r *http.Request) {
@@ -753,6 +754,7 @@ func (s *Server) handleTokenValidate(w http.ResponseWriter, r *http.Request) {
 	}
 	if acct, err := s.db.GetAccountByUUID(claims.Subject); err == nil {
 		resp.Username = acct.Username
+		resp.AccountType = string(acct.AccountType)
 	}
 	writeJSON(w, http.StatusOK, resp)
 }