docs(security): document constant-time-comparison contract for auth callbacks

[fredbi]

The runtime delegates credential comparison to caller-supplied authentication callbacks (UserPassAuthentication, TokenAuthentication, ScopedTokenAuthentication, and their Ctx variants). Callers that compare a secret against a known value must use
crypto/subtle.ConstantTimeCompare to avoid response-timing side-channels.

This commit:

• Documents the contract on all six callback type godocs.
• Updates the apikey and basic auth examples to demonstrate the safe pattern, so users copying the snippets inherit it.

No API change. The runtime itself does not compare secrets and remains structurally timing-safe.

Change type

Please select: 🆕 New feature or enhancement|🔧 Bug fix'|📃 Documentation update

Short description

Fixes

Full description

Checklist

• I have signed all my commits with my name and email (see DCO. This does not require a PGP-signed commit
• I have rebased and squashed my work, so only one commit remains
• I have added tests to cover my changes.
• I have properly enriched go doc comments in code.
• I have properly documented any breaking change.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.38%. Comparing base (1e4d68e) to head (9881e97).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #457   +/-   ##
=======================================
  Coverage   83.38%   83.38%           
=======================================
  Files          62       62           
  Lines        4388     4388           
=======================================
  Hits         3659     3659           
  Misses        569      569           
  Partials      160      160           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.