feat: Add HTTP Schnorr signature authentication (Phase 1)

[melvincarvalho]

Summary

• Adds request-level authentication via BIP-340 Schnorr signatures using the NIP-98 HTTP Auth scheme (Authorization: Nostr <base64>)
• Verified identities resolve to did:nostr:<pubkey> URIs that work with existing Solid ACL rules as acl:agent values — zero changes needed to the ACL layer
• Existing auth behavior is unchanged — Nostr auth is only checked when no session is present

Changes

File	Change
lib/api/authn/webid-nostr.mjs	New — NIP-98 event verification with BIP-340 Schnorr signatures
lib/api/authn/index.mjs	Export nostr auth module
lib/api/authn/webid-oidc.mjs	Skip OIDC RS middleware for Nostr auth headers
lib/handlers/allow.mjs	Fall back to Nostr auth when no session userId
package.json	Add @noble/curves, @noble/hashes (audited, zero-dependency crypto by Paul Miller)
test/unit/nostr-auth-test.mjs	All 10 official http-schnorr-auth spec test vectors + 3 edge cases

How it works

A user with a did:nostr:<pubkey> in an ACL file authenticates by sending:

GET /resource
Authorization: Nostr <base64-encoded-signed-NIP-98-event>

ACL:

<#auth> a acl:Authorization;
  acl:agent <did:nostr:39a360...c85c2>;
  acl:accessTo </resource>;
  acl:mode acl:Read.

Specs

• HTTP Schnorr Auth v0.0.1
• did:nostr v0.0.10
• NIP-98

This is Phase 1 (middleware only). No login UI, sessions, or browser flows.

Refs #1845