Authentication: turning a wire-level credential into a verified IdentityId the rest of the system can attach
to a transaction. The crate owns the registry of supported authentication methods, the challenge-response state
machine for methods that need it, and the service handle the server tiers route incoming sessions through.
Authorisation - what an identity is allowed to do once authenticated - is not in this crate; that is the policy engine's responsibility. The split exists so a deployment can swap out authentication methods (token, password, external IDP) without touching the policy enforcement path.
Invariant: a successful authentication produces an IdentityId that resolves through the catalog to a real,
non-revoked identity. Anything that mints an IdentityId outside this crate (test fixtures aside) bypasses
revocation and method requirements and is a security regression.