Batch A: blob storage layer, MCIAS auth, OCI token endpoint

Phase 2 — internal/storage/:
Content-addressed blob storage with atomic writes via rename.
BlobWriter stages data in uploads dir with running SHA-256 hash,
commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>.
Reader provides Open, Stat, Delete, Exists with digest validation.

Phase 3 — internal/auth/ + internal/server/:
MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache
with lazy eviction and injectable clock for testing. TLS 1.3 minimum
with optional custom CA cert.
Chi router with RequireAuth middleware (Bearer token extraction,
WWW-Authenticate header, OCI error format), token endpoint (Basic
auth → bearer exchange via MCIAS), and /v2/ version check handler.

52 tests passing (14 storage + 9 auth + 9 server + 20 existing).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/storage/storage.go

@@ -0,0 +1,38 @@
+package storage
+
+import (
+	"path/filepath"
+	"regexp"
+)
+
+var digestRe = regexp.MustCompile(`^sha256:[a-f0-9]{64}$`)
+
+// Store manages blob storage on the local filesystem.
+type Store struct {
+	layersPath  string
+	uploadsPath string
+}
+
+// New creates a Store that will write final blobs under layersPath and
+// stage in-progress uploads under uploadsPath.
+func New(layersPath, uploadsPath string) *Store {
+	return &Store{
+		layersPath:  layersPath,
+		uploadsPath: uploadsPath,
+	}
+}
+
+// validateDigest checks that digest matches sha256:<64 lowercase hex chars>.
+func validateDigest(digest string) error {
+	if !digestRe.MatchString(digest) {
+		return ErrInvalidDigest
+	}
+	return nil
+}
+
+// blobPath returns the filesystem path for a blob with the given digest.
+// The layout is: <layersPath>/sha256/<first-2-hex>/<full-64-hex>
+func (s *Store) blobPath(digest string) string {
+	hex := digest[len("sha256:"):]
+	return filepath.Join(s.layersPath, "sha256", hex[0:2], hex)
+}