feat: implement resource metadata management API (issue #12)

Add API endpoints to manage ResourceMetadata (ownership, groups, permissions)
for KV resources. This enables administrators to configure granular access
control for stored data.

Changes:
- Add GetResourceMetadataResponse and UpdateResourceMetadataRequest types
- Add GetResourceMetadata and SetResourceMetadata methods to AuthService
- Add GET /kv/{path}/metadata endpoint (requires admin:users:read)
- Add PUT /kv/{path}/metadata endpoint (requires admin:users:update)
- Both endpoints protected by JWT authentication
- Metadata routes registered before general KV routes to prevent pattern conflicts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

server/routes.go

@@ -13,6 +13,18 @@ func (s *Server) setupRoutes() *mux.Router {
 	// Health endpoint (always available)
 	router.HandleFunc("/health", s.healthHandler).Methods("GET")
 
+	// Resource Metadata Management endpoints (Issue #12) - Must come BEFORE general KV routes
+	// These need to be registered first to prevent /kv/{path:.+} from matching metadata paths
+	if s.config.AuthEnabled {
+		router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
+			[]string{"admin:users:read"}, nil, "",
+		)(s.getResourceMetadataHandler)).Methods("GET")
+
+		router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
+			[]string{"admin:users:update"}, nil, "",
+		)(s.updateResourceMetadataHandler)).Methods("PUT")
+	}
+
 	// KV endpoints (with conditional authentication based on anonymous access settings)
 	// GET endpoint - require auth if anonymous read is disabled
 	if s.config.AuthEnabled && !s.config.AllowAnonymousRead {