feat(auth,password): add JWT/PASETO helpers and password hashing

[hyp3rd]

Introduce new security-focused primitives:

• pkg/auth: JWT signer/verifier (alg allowlist, exp/iss/aud/sub checks, kid support, clock leeway, single/multi-key and custom keyfunc) and PASETO v4 local/public helpers with claim validation and secure defaults (exp required by default).
• pkg/password: argon2id (PHC format, presets, rehash detection) and bcrypt (cost handling, 72-byte limit) plus constant‑time comparison utility.

Quality and docs:

• Add comprehensive tests for JWT, PASETO, argon2id, and bcrypt (expiry, audience mismatch, invalid tokens, etc.).
• Update README and docs (usage, security checklist); expand cspell dictionary.

Build:

• Add deps: github.com/golang-jwt/jwt/v5, aidanwoods.dev/go-paseto, golang.org/x/crypto, golang.org/x/sys.

No breaking changes; all additions are new packages.

[Copilot]

Pull request overview

This pull request introduces new security-focused primitives for authentication and password handling. The implementation adds JWT and PASETO v4 token handling with strict validation defaults, alongside argon2id and bcrypt password hashing utilities with parameter upgrade detection.

Key changes:

• JWT signer/verifier with algorithm allowlisting, expiration enforcement, and multi-key support
• PASETO v4 local (symmetric) and public (asymmetric) token helpers with claim validation
• Argon2id and bcrypt password hashers with PHC format encoding and rehash detection

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/auth/doc.go	Package documentation for auth helpers
pkg/auth/errors.go	Comprehensive error definitions for JWT and PASETO operations
pkg/auth/jwt.go	JWT signer and verifier with strict validation and flexible key management
pkg/auth/jwt_test.go	Test coverage for JWT sign/verify, audience validation, and kid handling
pkg/auth/paseto.go	PASETO v4 local/public helpers with encryption, signing, and verification
pkg/auth/paseto_test.go	Test coverage for PASETO round-trips and expiration validation
pkg/password/doc.go	Package documentation for password helpers
pkg/password/errors.go	Error definitions for password operations
pkg/password/types.go	Hasher interface definition for password hashing implementations
pkg/password/argon2id.go	Argon2id implementation with PHC format encoding and parameter presets
pkg/password/argon2id_test.go	Test coverage for argon2id hashing and rehash detection
pkg/password/bcrypt.go	Bcrypt implementation with cost presets and 72-byte limit enforcement
pkg/password/bcrypt_test.go	Test coverage for bcrypt hashing and password length validation
pkg/password/compare.go	Constant-time comparison utility for byte slices
pkg/password/compare_test.go	Test coverage for constant-time comparison
go.mod	Added dependencies for JWT, PASETO, and crypto libraries
go.sum	Checksums for new dependencies
README.md	Updated feature list and added usage examples for JWT and password hashing
docs/usage.md	Comprehensive documentation for new auth and password packages
docs/security-checklist.md	Security guidelines for token and password handling
cspell.json	Updated dictionary with crypto and auth-related terms

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.