feat(token): implement GET /token for token verification

Implements W3C IndieAuth Section 6.3 token verification endpoint.
The token endpoint now supports both:
- POST: Issue new tokens (authorization code exchange)
- GET: Verify existing tokens (resource server validation)

Changes:
- Added GET handler to /token endpoint
- Extracts Bearer token from Authorization header (RFC 6750)
- Returns JSON with me, client_id, scope
- Returns 401 with WWW-Authenticate for invalid tokens
- 11 new tests covering all verification scenarios

All 533 tests passing. Resolves critical P0 blocker for v1.0.0.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

docs/roadmap/v1.0.0.md

@@ -49,22 +49,23 @@ Deliver a production-ready, W3C IndieAuth-compliant authentication server that:
 
 All features listed below are REQUIRED for v1.0.0 release.
 
-| Feature | Size | Effort (days) | Dependencies |
-|---------|------|---------------|--------------|
-| Core Infrastructure | M | 3-5 | None |
-| Database Schema & Storage Layer | S | 1-2 | Core Infrastructure |
-| In-Memory Storage | XS | <1 | Core Infrastructure |
-| Email Service | S | 1-2 | Core Infrastructure |
-| DNS Service | S | 1-2 | Database Schema |
-| Domain Service | M | 3-5 | Email, DNS, Database |
-| Authorization Endpoint | M | 3-5 | Domain Service, In-Memory |
-| Token Endpoint | S | 1-2 | Authorization Endpoint, Database |
-| Metadata Endpoint | XS | <1 | Core Infrastructure |
-| Email Verification UI | S | 1-2 | Email Service, Domain Service |
-| Authorization Consent UI | S | 1-2 | Authorization Endpoint |
-| Security Hardening | S | 1-2 | All endpoints |
-| Deployment Configuration | S | 1-2 | All features |
-| Comprehensive Test Suite | L | 10-14 | All features (parallel) |
+| Feature | Size | Effort (days) | Dependencies | Status |
+|---------|------|---------------|--------------|--------|
+| Core Infrastructure | M | 3-5 | None | ✅ Complete |
+| Database Schema & Storage Layer | S | 1-2 | Core Infrastructure | ✅ Complete |
+| In-Memory Storage | XS | <1 | Core Infrastructure | ✅ Complete |
+| Email Service | S | 1-2 | Core Infrastructure | ✅ Complete |
+| DNS Service | S | 1-2 | Database Schema | ✅ Complete |
+| Domain Service | M | 3-5 | Email, DNS, Database | ✅ Complete |
+| Authorization Endpoint | M | 3-5 | Domain Service, In-Memory | ✅ Complete |
+| Token Endpoint (POST) | S | 1-2 | Authorization Endpoint, Database | ✅ Complete |
+| Token Verification (GET) | XS | <1 | Token Service | ✅ Complete (2025-11-25) |
+| Metadata Endpoint | XS | <1 | Core Infrastructure | ✅ Complete |
+| Email Verification UI | S | 1-2 | Email Service, Domain Service | ✅ Complete |
+| Authorization Consent UI | S | 1-2 | Authorization Endpoint | ✅ Complete |
+| Security Hardening | S | 1-2 | All endpoints | ✅ Complete |
+| Deployment Configuration | S | 1-2 | All features | ✅ Complete |
+| Comprehensive Test Suite | L | 10-14 | All features (parallel) | ✅ Complete (533 tests, 85.88% coverage) |
 
 **Total Estimated Effort**: 32-44 days of development + testing
 
@@ -413,9 +414,9 @@ uv run pytest -m security
 
 ### Pre-Release
 
-- [ ] All P0 features implemented
-- [ ] All tests passing (unit, integration, e2e, security)
-- [ ] Test coverage ≥80% overall, ≥95% critical paths
+- [x] All P0 features implemented (2025-11-25: Token Verification completed)
+- [x] All tests passing (unit, integration, e2e, security) - 533 tests pass
+- [x] Test coverage ≥80% overall, ≥95% critical paths - 85.88% achieved
 - [ ] Security scan completed (bandit, pip-audit)
 - [ ] Documentation complete and reviewed
 - [ ] Tested with real IndieAuth client(s)