harden(mana-sync): fix WebSocket auth, add validation, tests, and docs

Critical security and correctness fixes for the sync server:

Security:
- Fix WebSocket JWT validation — was completely broken (hardcoded
  "pending-auth"). Now validates JWT via JWKS, rejects invalid tokens,
  enforces 10-second auth deadline, sends auth-ok confirmation.
- Add 10 MB request body size limit (prevents OOM attacks)
- Validate op field (must be insert/update/delete)
- Validate table and id fields (must be non-empty)
- Abort sync on RecordChange failure (was silently continuing)

Correctness:
- Fix silent JSON unmarshal errors in store (now returns error)
- Copy client set before iterating in NotifyUser (prevents race)
- Add write timeout on WebSocket notifications

Testing (19 tests, 0 -> 100% for unit-testable code):
- auth: token extraction, validator init, missing auth handling
- config: defaults, env override, invalid port
- sync: op validation, changeset validation, response format,
  field change round-trip, body size constant

Documentation:
- Add CLAUDE.md with architecture, sync protocol, LWW explanation,
  API endpoints, configuration, security notes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

services/mana-sync/cmd/server/main.go

@@ -46,8 +46,8 @@ func main() {
 	// Initialize JWT validator
 	validator := auth.NewValidator(cfg.JWKSUrl)
 
-	// Initialize WebSocket hub
-	hub := ws.NewHub()
+	// Initialize WebSocket hub (with JWT validator for auth)
+	hub := ws.NewHub(validator)
 
 	// Initialize sync handler
 	handler := syncHandler.NewHandler(db, validator, hub)