feat(exousia): authentication and authorization (P2-04)

[forkwright]

Summary

• Implements crates/exousia/ — identity, authentication, and authorization for Harmonia
• JWT access tokens (HS256, 15 min TTL) with Claims struct per auth.md spec
• Rotated refresh tokens (30 day, 64 random bytes stored as SHA-256 hash)
• Prefixed API keys (hmn_{8-char-short}_{24-char-long} format; long token stored as SHA-256 hash; renderer variant hmn_rnd_*)
• ExousiaServiceImpl implementing the AuthService trait — login, refresh, logout, validate_bearer, validate_api_key, create_user, create_api_key, revoke_api_key
• Axum extractors: AuthenticatedUser (Bearer → X-Api-Key → query param priority) and RequireAdmin; both FromRequestParts returning structured { error, code, correlation_id } JSON on failure
• Error enum per snafu + GreptimeDB pattern with location tracking

Test plan

• 29 tests, all passing
• cargo fmt --all -- --check ✓
• cargo clippy -p exousia -- -D warnings ✓
• cargo test -p exousia ✓ (29/29)

Covered:

• Login flow: create user → login → valid tokens
• Refresh flow: old token revoked, new token works
• Logout: refresh token revoked
• Expired token rejected
• API key: generate → validate → revoke → validation fails
• API key format: correct prefix, short/long token lengths
• Password hashing: hash → verify succeeds, wrong password fails
• Extractor: Bearer header, X-Api-Key header, query param token → AuthenticatedUser
• RequireAdmin: Admin passes, Member gets 403
• Priority order: Bearer takes precedence over API key
• No auth headers → 401 with structured error body