Slice 9: jotsmith token verify

[MaxAnderson95]

What to build

Implement jotsmith token verify <jwt> [--aud <expected>] [--sub <expected>] per PRD §6.3 — a live HTTPS round-trip that fetches the discovery doc and JWKS, reconstructs the RSA public key, verifies the signature, and checks standard claims with ±60s skew. Demonstrates the issuer/JWKS-fetch path independently from minting.

This slice does NOT require setup at the code-dependency level (you could verify someone else's token), but to demo it meaningfully you need an issuer to verify against, so it's blocked by #7.

Acceptance criteria

• Parses the JWT, extracts the header kid; rejects unsigned tokens or tokens with alg other than RS256
• GETs <issuer>/.well-known/openid-configuration (issuer from config); validates the discovery doc's issuer field equals the config issuer
• GETs jwks_uri from the discovery doc; finds the JWK matching the JWT header kid; rejects if none
• Reconstructs an RSA public key from n and e; verifies the signature using RS256
• Verifies payload iss matches config; exp > now, nbf <= now, iat <= now + skew; ±60s skew on all time checks
• --aud (if given) checks payload aud contains the value (when array) or equals it (when string)
• --sub (if given) requires exact match against payload sub
• On success: prints OK + decoded claims to stderr (nothing to stdout); exit 0
• On failure: prints which check failed to stderr; exit 1
• HTTPS timeouts handled with a sensible default and a clear error
• Unit tests cover: bad kid, signature mismatch, expired, not-yet-valid, wrong iss, wrong aud (string and array forms), wrong sub
• Integration test behind //go:build integration mints and then verifies an end-to-end token

Blocked by

• Slice 7: jotsmith token mint v1 (standard claims, KV Sign integration) #7 — token mint v1

Originally created in OpenCode session ID: ses_17ca8efd8ffexLcFSysAMDVNBQ

[MaxAnderson95]

Implemented and merged in #14.

Originally created in OpenCode session ID: ses_17c986ef9ffeHc0S3r1wQcmLDT