feat(library): add workspace-scoped search and JWT auth for Daedalus

- Extend library list endpoint with `include_workspace` and
  `with_item_count` query params to support Daedalus registry mirroring
- Expand search scope clause to three modes: workspace-only, workspace
  plus allowed user libraries, and global
- Add `allowed_libraries` field to SearchRequest for Phase-2 JWT claims
- Introduce JWT-based actor resolution using a synthetic service user
  (`MCP_JWT_SERVICE_USERNAME`) for Daedalus-originated requests

mnemosyne/mcp_server/context.py

@@ -4,7 +4,7 @@ from __future__ import annotations
 
 from fastmcp.server.context import Context
 
-from .auth import STATE_KEY_TOKEN, STATE_KEY_USER
+from .auth import STATE_KEY_CLAIMS, STATE_KEY_TOKEN, STATE_KEY_USER
 
 
 async def get_mcp_user(ctx: Context | None):
@@ -17,3 +17,10 @@ async def get_mcp_token(ctx: Context | None):
     if ctx is None:
         return None
     return await ctx.get_state(STATE_KEY_TOKEN)
+
+
+async def get_mcp_claims(ctx: Context | None) -> dict | None:
+    """Return the JWT claims dict for this request, or None for opaque-token callers."""
+    if ctx is None:
+        return None
+    return await ctx.get_state(STATE_KEY_CLAIMS)