feat: initial shared auth module

Signed user-header middleware (UserMiddleware/FromContext/User, ADR-0005) plus
the deployed-secrets startup guard (MissingDeployedSecrets, ADR-0005/0006).
Replaces the byte-identical auth package + secrets_guard.go copied into every
backend service.

.gitea/workflows/ci.yaml

@@ -0,0 +1,35 @@
+name: auth
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    if: gitea.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version: 'stable'
+      - name: Format check
+        run: |
+          go install mvdan.cc/gofumpt@latest
+          test -z "$(gofumpt -l .)"
+      - name: Run tests
+        run: go test -race ./...
+  vulnerabilities:
+    if: gitea.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version: 'stable'
+      - name: Check vulnerabilities
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...