Batch A: blob storage layer, MCIAS auth, OCI token endpoint

Phase 2 — internal/storage/:
Content-addressed blob storage with atomic writes via rename.
BlobWriter stages data in uploads dir with running SHA-256 hash,
commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>.
Reader provides Open, Stat, Delete, Exists with digest validation.

Phase 3 — internal/auth/ + internal/server/:
MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache
with lazy eviction and injectable clock for testing. TLS 1.3 minimum
with optional custom CA cert.
Chi router with RequireAuth middleware (Bearer token extraction,
WWW-Authenticate header, OCI error format), token endpoint (Basic
auth → bearer exchange via MCIAS), and /v2/ version check handler.

52 tests passing (14 storage + 9 auth + 9 server + 20 existing).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/server/middleware_test.go

@@ -0,0 +1,112 @@
+package server
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"git.wntrmute.dev/kyle/mcr/internal/auth"
+)
+
+type fakeValidator struct {
+	claims *auth.Claims
+	err    error
+}
+
+func (f *fakeValidator) ValidateToken(_ string) (*auth.Claims, error) {
+	return f.claims, f.err
+}
+
+func TestRequireAuthValid(t *testing.T) {
+	t.Helper()
+	claims := &auth.Claims{Subject: "alice", AccountType: "user", Roles: []string{"reader"}}
+	validator := &fakeValidator{claims: claims}
+
+	var gotClaims *auth.Claims
+	inner := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		gotClaims = auth.ClaimsFromContext(r.Context())
+	})
+
+	handler := RequireAuth(validator, "mcr-test")(inner)
+
+	req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
+	req.Header.Set("Authorization", "Bearer valid-token")
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusOK)
+	}
+	if gotClaims == nil {
+		t.Fatal("expected claims in context, got nil")
+	}
+	if gotClaims.Subject != "alice" {
+		t.Fatalf("subject: got %q, want %q", gotClaims.Subject, "alice")
+	}
+}
+
+func TestRequireAuthMissing(t *testing.T) {
+	t.Helper()
+	validator := &fakeValidator{claims: nil, err: auth.ErrUnauthorized}
+
+	inner := http.HandlerFunc(func(http.ResponseWriter, *http.Request) {
+		t.Fatal("inner handler should not be called")
+	})
+
+	handler := RequireAuth(validator, "mcr-test")(inner)
+
+	req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
+	// No Authorization header.
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+
+	wwwAuth := rec.Header().Get("WWW-Authenticate")
+	want := `Bearer realm="/v2/token",service="mcr-test"`
+	if wwwAuth != want {
+		t.Fatalf("WWW-Authenticate: got %q, want %q", wwwAuth, want)
+	}
+
+	var ociErr ociErrorResponse
+	if err := json.NewDecoder(rec.Body).Decode(&ociErr); err != nil {
+		t.Fatalf("decode OCI error: %v", err)
+	}
+	if len(ociErr.Errors) != 1 || ociErr.Errors[0].Code != "UNAUTHORIZED" {
+		t.Fatalf("OCI error: got %+v, want UNAUTHORIZED", ociErr.Errors)
+	}
+}
+
+func TestRequireAuthInvalid(t *testing.T) {
+	t.Helper()
+	validator := &fakeValidator{claims: nil, err: auth.ErrUnauthorized}
+
+	inner := http.HandlerFunc(func(http.ResponseWriter, *http.Request) {
+		t.Fatal("inner handler should not be called")
+	})
+
+	handler := RequireAuth(validator, "mcr-test")(inner)
+
+	req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
+	req.Header.Set("Authorization", "Bearer bad-token")
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+
+	var ociErr ociErrorResponse
+	if err := json.NewDecoder(rec.Body).Decode(&ociErr); err != nil {
+		t.Fatalf("decode OCI error: %v", err)
+	}
+	if len(ociErr.Errors) != 1 || ociErr.Errors[0].Code != "UNAUTHORIZED" {
+		t.Fatalf("OCI error: got %+v, want UNAUTHORIZED", ociErr.Errors)
+	}
+}