feat: implement T11, T12 — Authelia adapter, privacyIDEA adapter

- T11: AutheliaAdapter delegating login UI and session; Authelia tokens never leak to profile layer
- T12: PrivacyIDEAAdapter delegating MFA 100% — no MFA logic in KeyCape

21 adapter tests pass, vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/internal/adapters/privacyidea/config.go

@@ -0,0 +1,36 @@
+// Package privacyidea implements the domain.MFAProvider interface by delegating
+// all MFA decisions to a privacyIDEA server. KeyCape contains no MFA logic —
+// every check and validation call is forwarded verbatim to privacyIDEA.
+package privacyidea
+
+import "net/http"
+
+// Config holds all connection parameters for the privacyIDEA adapter.
+type Config struct {
+	// BaseURL is the privacyIDEA server base URL, e.g. "https://privacyidea.local".
+	BaseURL string
+
+	// AdminToken is the service-account JWT used to authenticate requests to the
+	// privacyIDEA admin API.
+	AdminToken string
+
+	// Realm is the privacyIDEA realm to scope token and validate requests.
+	// Defaults to "netkingdom" when empty.
+	Realm string
+}
+
+// realm returns the effective realm, falling back to "netkingdom".
+func (c Config) realm() string {
+	if c.Realm != "" {
+		return c.Realm
+	}
+	return "netkingdom"
+}
+
+// HTTPClient is a minimal interface over net/http.Client for test injection.
+type HTTPClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
+// defaultHTTPClient is the production HTTP client used when none is injected.
+var defaultHTTPClient HTTPClient = &http.Client{}