feat(proxy): implement JWT session minting with scope validation (P5.21.b, §13.21)
Implement plan §13.21 auth layer 2 for search UI session tokens:
**JWT Claims Structure (plan §13.21):**
- Add `iss: "miroir"` claim to identify token issuer
- Add `scope: Vec<String>` for allowed actions (search, multi_search, beacon)
- Keep `idx`, `sub`, `iat`, `exp` claims
- Update `sign_jwt` to use "search-ui-session" as default sub
**Scope Validation (defense-in-depth):**
- Add `validate_jwt_scope()` function to check (method, path) against scope
- Validate `idx` claim matches target index for search/beacon endpoints
- Return `JwtValidationError::ScopeDenied` on mismatch
- Integrate into `dispatch_bearer()` for automatic enforcement
**Session Response (plan §13.21):**
- Update `SearchUiSessionResponse` to include `index` and `rate_limit` fields
- Return `token`, `expires_at`, `index`, `rate_limit` from session endpoint
**Authentication Modes:**
- `public`: unauthenticated, IP rate-limited
- `shared_key`: requires X-Search-UI-Key header
- `oauth_proxy`: requires upstream auth headers
Closes: miroir-uhj.21.2
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
bb5f46403a