ARCPClaims doc comment says `jti` is inspected for replay tracking, but it is never used

[nficano]

Category: docs Severity: minor
Location: Sources/ARCP/Auth/JWTAuth.swift:72-84

What

The comment states jti is inspected as a replay-tracking identifier, but jti is only decoded and never read, stored, or checked anywhere; no replay tracking exists. The comment overstates behavior.

Evidence

/// Minimal claim set used by ARCP JWTs. ... only the standard fields plus the
/// optional `nonce` (used for challenge binding) and `jti` (replay-tracking
/// identifier) are inspected here.
struct ARCPClaims: JWTPayload {
    ...
    var nonce: String?
    var jti: String?
    func verify(using algorithm: some JWTAlgorithm) async throws {
        try exp.verifyNotExpired()
    }
}

Proposed fix

Either implement jti-based replay tracking, or correct the comment to say jti is decoded but not currently used.

Acceptance criteria

• The comment matches behavior (jti either used for replay tracking or documented as unused).