feat: add ForwardAuth endpoint for Traefik integration

GET /auth/verify validates JWT and returns X-User-Id, X-User-Email
headers for downstream service routing via Traefik middleware.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/main/java/net/siegeln/cameleer/saas/config/ForwardAuthController.java

@@ -0,0 +1,43 @@
+package net.siegeln.cameleer.saas.config;
+
+import net.siegeln.cameleer.saas.auth.JwtService;
+import net.siegeln.cameleer.saas.tenant.TenantService;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+@RestController
+public class ForwardAuthController {
+
+    private final JwtService jwtService;
+    private final TenantService tenantService;
+
+    public ForwardAuthController(JwtService jwtService, TenantService tenantService) {
+        this.jwtService = jwtService;
+        this.tenantService = tenantService;
+    }
+
+    @GetMapping("/auth/verify")
+    public ResponseEntity<Void> verify(HttpServletRequest request) {
+        String authHeader = request.getHeader("Authorization");
+        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+            return ResponseEntity.status(401).build();
+        }
+
+        String token = authHeader.substring(7);
+
+        if (jwtService.isTokenValid(token)) {
+            String email = jwtService.extractEmail(token);
+            var userId = jwtService.extractUserId(token);
+
+            return ResponseEntity.ok()
+                    .header("X-User-Id", userId.toString())
+                    .header("X-User-Email", email)
+                    .build();
+        }
+
+        return ResponseEntity.status(401).build();
+    }
+}