feat(jwt,core): stateful access tokens + user-deletion fan-out

[wolpert]

Summary

Two related primitives for the 1.1.0 train.

Feature 3 — AccessTokenStore SPI in pk-auth-jwt. PkAuthJwtIssuer.issue() always calls store.record(jti, …) before returning; PkAuthJwtValidator.validate() calls store.exists(jti) alongside RevocationCheck. The default AccessTokenStore.noop() preserves stateless JWT behaviour — hosts wire JdbiAccessTokenStore or DynamoDbAccessTokenStore (both shipped) to make logout / admin-revoke take effect before exp. No TokenMode enum: presence of a real bean is the signal. ADR 0015.

Cross-cutting — UserDeletionService in pk-auth-core. Single fan-out point that runs every registered UserDeletionListener and returns a typed UserDeletionResult. Listeners shipped for credentials, backup codes, OTPs, and access tokens. Each adapter wires them through its native DI mechanism (Spring auto-collection, Dagger @IntoSet, Micronaut Collection<T>). Sequential + best-effort rather than motif's single-shared-transaction model because pk-auth's persistence SPIs span JDBI / DynamoDB / in-memory with no shared substrate. ADR 0016.

Breaking SPI additions

• CredentialRepository.deleteByUserHandle(UserHandle) -> int
• OtpRepository.deleteByUserHandle(UserHandle) -> int

All shipped implementations (in-memory, JDBI, DynamoDB) are updated. Documented in CHANGELOG.md.

Schema

• Flyway V8 adds access_tokens (jti, user_handle, audience, device_id, issued_at, expires_at). PkAuthJdbiSchema.CURRENT_SCHEMA_VERSION bumped to 8.
• DynamoDB: two-item layout on PkAuthCore (primary jti-keyed + user-indexed pointer) with native ttl for async expiry.

Test plan

• `./gradlew :pk-auth-jwt:test` — passes including 5 new AccessTokenStore integration tests (noop, recorded jti, absent jti rejected, present jti accepted, deletion listener forwarding).
• `./gradlew :pk-auth-testkit:test` — InMemoryAccessTokenStore driven by AccessTokenStoreScenarios (5 cases).
• `./gradlew :pk-auth-persistence-jdbi:test` — JdbiAccessTokenStoreIntegrationTest passes against Testcontainers Postgres (5 parity scenarios, schema bumped from V6 → V8).
• `./gradlew :pk-auth-persistence-dynamodb:test` — DynamoDbAccessTokenStoreIntegrationTest passes against DynamoDB Local (5 parity scenarios, both primary + user-index items written).
• `./gradlew :pk-auth-core:test` — UserDeletionServiceTest covers happy path, failing-listener-doesn't-stop-others, and each shipped listener's forwarding.
• `./gradlew check` — 159-task full build green across every module + every example demo. JaCoCo coverage thresholds met on pk-auth-jwt (80%) and pk-auth-core (80%) after adding the integration test classes.

🤖 Generated with Claude Code