feat: production-grade Privy Auth server integration

[lustsazeus-lab]

Summary

Implements a reviewable server-side Privy Auth integration for issue #1 with replay protection and tests.

What changed

• Added PrivyAuthService for server-side token verification against Privy JWKS
• Added secure app session issuance (HS256, iss/aud/sub/exp, jti)
• Added replay protection via one-time nonce consumption (NonceStore, InMemoryNonceStore)
• Added typed auth errors (AuthError) with status/code semantics
• Expanded env configuration in .env.example
• Updated README with setup + usage + security model
• Added tests for happy path, replay rejection, and invalid session handling

Verification

• npm test passes locally (3 tests)

Closes #1

[lustsazeus-lab]

Friendly follow-up on this PR 👋

This branch has already been rebased and is currently mergeable (CLEAN).

Implemented scope recap:

• server-side Privy JWT verification (JWKS + iss/aud checks)
• nonce replay protection
• auth tests passing locally (npm test)

Since issue #1 is no longer accessible, I’m using this PR thread as the implementation context.

Happy to make any further changes quickly if you want adjustments before merge.