feat(auth): JWT-or-static middleware + /.well-known/oauth-protected-resource (issue #5)

- internal/auth/jwt.go: JWTValidator via lestrrat-go/jwx/v2, JWKS auto-refresh
- internal/auth/bearer.go: replace Gitea PAT validation with JWT->static->default chain
- internal/gitea/client.go: always use service PAT; remove TokenFromContext lookup
- internal/config/config.go: add DexIssuerURL, MCPAudience, MCPResourceURL, StaticToken
- cmd/gitea-mcp/main.go: wire validator, fix /.well-known to return real AS list
- bearer_test.go: rewrite for new API

Taskfile.yml

@@ -14,9 +14,38 @@ tasks:
   lint:
     desc: Run golangci-lint
     cmds: [golangci-lint run ./...]
-  check:
-    desc: Lint, vet, and test (used by CI)
+  vet:
     cmds:
-      - golangci-lint run ./...
       - go vet ./...
-      - go test ./... -race -count=1
+      - govulncheck ./... || true
+
+  check:
+    desc: Run all checks (context freshness + lint + test + vet)
+    cmds:
+      - task: context:sync
+      - cmd: |
+          drift=$(git status --porcelain -- AGENTS.md CLAUDE.md .cursorrules .aider.conventions.md .context/system-prompt.txt 2>/dev/null)
+          if [ -n "$drift" ]; then
+            echo "ERROR: derived adapters drifted from canonical context." >&2
+            echo "$drift" >&2
+            echo "" >&2
+            echo "Run: git add AGENTS.md CLAUDE.md .cursorrules .aider.conventions.md .context/system-prompt.txt" >&2
+            echo "     git commit -m 'chore: re-sync context adapters'" >&2
+            exit 1
+          fi
+          echo "✓ context: canonical and adapters are in sync"
+      - task: lint
+      - task: test
+      - task: vet
+
+  context:sync:
+    desc: Regenerate all harness-specific context files
+    cmds:
+      - bash scripts/context-sync.sh
+
+  context:sync:claude:
+    cmds: [bash scripts/context-sync.sh claude]
+  context:sync:agents:
+    cmds: [bash scripts/context-sync.sh agents]
+  context:sync:cursor:
+    cmds: [bash scripts/context-sync.sh cursor]