feat(membershipd): refuse fail-open startup configs

Audit H2 (Alto). The binary defaulted to --bus-auth off, the NATS nkey
authenticator only turned on under enforce, and TLS was an independent flag.
Booting --bind 0.0.0.0 --tls-cert … without --bus-auth enforce left both
planes open while looking secure.

validateBootConfig is a pure guard, called right after flag parsing, that
log.Fatals on two insecure shapes:
  - a non-loopback --bind without --bus-auth enforce, and
  - --tls-cert/--tls-key without --bus-auth enforce.

An insecure public startup is now impossible (the process exits), so a
fail-open data plane never comes up for an unregistered client to reach.
TestAudit_FailOpenTLSWithoutAuth plus a full policy table cover golden
(public+enforce, dev loopback) and every refused shape.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

cmd/membershipd/main.go

@@ -52,6 +52,13 @@ func main() {
 		log.Fatalf("%v", err)
 	}
 
+	// Fail-open guard (audit H2): a non-loopback bind, or any TLS flag, demands
+	// --bus-auth enforce. This makes an insecure public startup impossible rather
+	// than silently exposing the bus with the appearance of security.
+	if err := validateBootConfig(*bind, authMode, *tlsCert, *tlsKey); err != nil {
+		log.Fatalf("%v", err)
+	}
+
 	log.SetFlags(log.LstdFlags | log.Lmsgprefix)
 	log.SetPrefix("[membershipd] ")