Implement JWT token auth with transparent auto-renewal.

Replace per-call SSH signing with a two-layer auth system:

Server: AuthInterceptor verifies JWT tokens (HMAC-SHA256 signed with
repo-local jwt.key). Authenticate RPC accepts SSH-signed challenges
and issues 30-day JWTs. Expired-but-valid tokens return a
ReauthChallenge in error details (server-provided nonce for fast
re-auth). Authenticate RPC is exempt from token requirement.

Client: TokenCredentials replaces SSHCredentials as the primary
PerRPCCredentials. NewWithAuth creates clients with auto-renewal —
EnsureAuth obtains initial token, retryOnAuth catches Unauthenticated
errors and re-authenticates transparently. Token cached at
$XDG_STATE_HOME/sgard/token (0600).

CLI: dialRemote() helper handles token loading, connection setup,
and initial auth. Push/pull/prune commands simplified to use it.

Proto: Added Authenticate RPC, AuthenticateRequest/Response,
ReauthChallenge messages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/sgardd/main.go

@@ -29,9 +29,10 @@ var rootCmd = &cobra.Command{
 		}
 
 		var opts []grpc.ServerOption
+		var srvInstance *server.Server
 
 		if authKeysPath != "" {
-			auth, err := server.NewAuthInterceptor(authKeysPath)
+			auth, err := server.NewAuthInterceptor(authKeysPath, repoPath)
 			if err != nil {
 				return fmt.Errorf("loading authorized keys: %w", err)
 			}
@@ -39,13 +40,15 @@ var rootCmd = &cobra.Command{
 				grpc.UnaryInterceptor(auth.UnaryInterceptor()),
 				grpc.StreamInterceptor(auth.StreamInterceptor()),
 			)
+			srvInstance = server.NewWithAuth(g, auth)
 			fmt.Printf("Auth enabled: %s\n", authKeysPath)
 		} else {
+			srvInstance = server.New(g)
 			fmt.Println("WARNING: no --authorized-keys specified, running without authentication")
 		}
 
 		srv := grpc.NewServer(opts...)
-		sgardpb.RegisterGardenSyncServer(srv, server.New(g))
+		sgardpb.RegisterGardenSyncServer(srv, srvInstance)
 
 		lis, err := net.Listen("tcp", listenAddr)
 		if err != nil {