feat(auth): introduce typed AuthContext contract across the stack

[ngalluzzo]

Summary

• Closes the JsonObject gap: authContext was typed as JsonObject at every contract boundary — dispatch requests, credential-store I/O, kernel contracts, app-runtime-facade-contracts, and runtime internals. It is now typed as AuthContext (from new host-contracts/src/auth-context/) everywhere, consistent with how PrincipalContext was already handled.
• Adds surface-boundary validation: load-credential-context.ts now calls authContextSchema.safeParse() on the value returned from a credential store's load, mirroring the existing principalInput validation — failing closed or degrading to anonymous per the configured policy.
• Eliminates the expresso-std blind cast: getAuthContext() previously returned auth as AuthContext with no verification. It now uses authContextSchema.safeParse(auth) and returns undefined on failure, making policy operator failures explicit rather than silently incorrect.

What changed

Layer	Change
host-contracts/src/auth-context/	New — authContextSchema (Zod, .passthrough()), AuthContext type, parseAuthContext, authContextContracts barrel
surface-contracts credential-store schemas	5× jsonObjectSchema → authContextSchema
surface-contracts credential-store types	Remove Omit<…, "authContext"> & { authContext?: JsonObject } override on 5 types
surface-contracts dispatch request	authContextSchema.optional() + DispatchRequest.authContext?: AuthContext
kernel-contracts entrypoint-runtime + semantic-engine	authContext?: AuthContext
app-runtime-facade-contracts create + subscribe	3 Zod schemas + AppRuntimeInteractionSessionWriteInput interface
surface-adapters/load-credential-context.ts	Add safeParse validation block after principal validation
kernel-runtime/entrypoint/types.ts + domain-runtime/execution-core/context.ts	authContext?: AuthContext
expresso-std/auth/auth-helpers.ts	Remove local interface, import from host-contracts, replace cast with safeParse
All 4 credential-store payload files	Schema fields + helper signatures use AuthContext
Conformance fixtures	unknown[] → (AuthContext | undefined)[]

Test plan

• Workspace typecheck: bun run typecheck — all 75 packages pass
• Auth-context conformance suite: bun test products/quality/conformance/test/credential-store-auth-context-*.test.ts — all 4 tests pass
• Verify getAuthContext() in expresso-std returns undefined for objects that don't match any known AuthContext fields (regression: previously would cast and return them)
• Verify a credential store returning a malformed authContext (e.g. { roles: "not-an-array" }) is rejected at the surface boundary under fail_closed policy and degraded under degrade_to_anonymous
• Smoke test an existing surface (HTTP or web) with a full sign-in flow to confirm authContext still propagates end-to-end

Notes

• authContextSchema uses .passthrough() intentionally — JWT payloads commonly include aud, iss, jti and other standard claims not enumerated in our schema. Extra fields are preserved, not stripped.
• credentialState on the credential-store types was left as JsonObject — it is genuinely freeform state that varies per store implementation and has no shared semantics across the system.

Issue Link

No linked issues detected from commit messages.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f07ef3920f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".