Populate AccountType in auth shim from mcdsl

Now that mcdsl/auth.TokenInfo carries AccountType (from the updated
MCIAS validate response), the MCR auth shim passes it through to
Claims.AccountType. Policy engine rules matching on account type
now work correctly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/auth/client.go

@@ -57,7 +57,8 @@ func (c *Client) ValidateToken(token string) (*Claims, error) {
 		return nil, ErrMCIASUnavailable
 	}
 	return &Claims{
-		Subject: info.Username,
+		Subject:     info.Username,
-		Roles:   info.Roles,
+		AccountType: info.AccountType,
+		Roles:       info.Roles,
 	}, nil
 }