feat(auth): add Dex JWT middleware to supervisor, routing pod, and brain MCP
Closes #6 on gitea.d-ma.be/mathias/hyperguild.
Dex is deployed at auth.d-ma.be. All three MCP servers now accept JWTs
issued by Dex in addition to static bearer tokens, enabling claude.ai
OAuth 2.0 integration without abandoning backward-compat CLI auth.
Changes:
- internal/auth/: new Validator (JWKS auto-refresh via lestrrat-go/jwx/v2),
ProtectedResourceHandler (RFC 9728 /.well-known/oauth-protected-resource)
- internal/mcp/Server: adds optional *auth.Validator; checkAuth tries JWT
first, then static token fallback; both-nil = auth disabled (unchanged default)
- cmd/supervisor, cmd/routing: construct Validator from DEX_ISSUER_URL +
MCP_AUDIENCE env vars; register protected-resource handler when set
- ingestion/internal/auth/: same Validator + handler (separate module)
- ingestion/internal/mcp/BearerAuth: same JWT-or-static chain
- ingestion/cmd/server: same wiring pattern
New env vars (all optional; absent = static-token-only, same as before):
DEX_ISSUER_URL — Dex issuer URL (e.g. https://auth.d-ma.be)
MCP_AUDIENCE — expected aud claim (e.g. brain, supervisor)
MCP_RESOURCE_URL — resource identifier for RFC 9728 metadata response
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
c7e0192486