Summary

• Adds OIDCBearerAuthenticator in pkg/auth/inbound that wraps auth.OIDCAuthenticator with chain-safe semantics (ErrNoCredential for missing or non-JWT bearers, ErrInvalidCredential only when a structurally-valid JWT fails verification).
• Wires the adapter into the inbound chain as apikey → oidc → bearer, so Authorization: Bearer <jwt> from the configured IdP authenticates on /v1/*.
• Lifts OIDC validator construction out of buildPortal so the chain and BrowserAuth share one instance — discovery + JWKS fetch run once at startup.

Fixes #10.

Test plan

• make verify passes locally (gofmt, tidy, build, golangci-lint, gosec, codeql, govulncheck, UI typecheck + build, embedded-SPA sync gate, full Go tests).
• New table-driven test TestChain_OIDCBeforeBearer covers the four cases from the ticket:
  • Valid JWT with correct issuer/audience → Identity from OIDC.
  • JWT signed by a foreign issuer → ErrInvalidCredential, no fallthrough to static bearer.
  • Static dev token → Identity from BearerAuthenticator (OIDC returns ErrNoCredential on non-JWT).
  • No credential with allow_anonymous=false → ErrNoCredential.
• Adapter unit tests cover looksLikeJWT edges and the nil-validator guard.
• Smoke against a real Keycloak deployment: curl -H "Authorization: Bearer <jwt>" /v1/whoami returns 200 with subject from the JWT sub claim.

Notes

The ticket's optional proposal #3 (softening BearerAuthenticator to return ErrNoCredential on non-match) was intentionally skipped — it would change behavior for non-OIDC deployments and is not needed here. The OIDC adapter returning ErrNoCredential on non-JWT bearers is enough to preserve the static-dev-token fallthrough.