The /v1/token/validate endpoint now returns account_type ("human" or
"system") alongside username and roles. The account lookup was already
happening — this just surfaces the type in the response.
Required by downstream services (MCR, Metacrypt) whose policy engines
match on account type.
Security: no new data exposure — account_type is non-sensitive metadata
already available to any authenticated admin via GET /v1/accounts/{id}.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Kyle Isom
35e96444aa