wrapper: make JWT optional in composite Bearer token (plain upstream key without JWT)

[levleontiev]

Current behaviour

In FAIRVISOR_MODE=wrapper, wrapper.parse_composite_bearer() requires the Authorization header to follow the composite format Bearer <JWT>:<UPSTREAM_KEY>. If the token contains no colon, the function returns composite_key_invalid and the request is rejected with HTTP 401.

Relevant code in src/fairvisor/wrapper.lua:

local colon_pos = string_find(token, ":", 1, true)
if not colon_pos or colon_pos <= 1 then
  return nil, "composite_key_invalid"   -- ← always rejects plain keys
end

Desired behaviour

JWT should be optional. The parsing logic should become:

Token format	JWT	Upstream key	Tenant identity
Bearer <JWT>:<UPSTREAM_KEY>	present	after first :	from JWT claims
Bearer <UPSTREAM_KEY> (no colon)	absent	entire token	anonymous / none

When no JWT is present, parsed.claims is {} (empty table, same as today's fallback) and parsed.jwt_part is nil.

Acceptance criteria

• parse_composite_bearer("Bearer sk-proj-abc123") returns { jwt_part = nil, upstream_key = "sk-proj-abc123", claims = {} } — no error
• parse_composite_bearer("Bearer eyJ…:sk-proj-abc123") continues to work as today
• parse_composite_bearer("Bearer ") (empty token) still returns nil, "composite_key_invalid"
• access_handler accepts plain-key requests; ngx.ctx.wrapper_tenant is "" when no JWT
• Unit tests in spec/unit/wrapper_spec.lua cover both cases
• spec/unit/features/wrapper.feature has a scenario for plain-key flow

Files to change

• src/fairvisor/wrapper.lua — parse_composite_bearer() and its callers
• spec/unit/wrapper_spec.lua — new test cases
• spec/unit/features/wrapper.feature — new scenario