chore(flags): flip bus-auth to enforce and bus-tls on (target state)

Declares the project's target rollout: bus-auth enforce, bus-tls enabled.
Flags are declarative; the operator activates them at deploy via membershipd
--bus-auth/--tls-cert/--tls-key. CLI defaults stay off so dev and tests run
unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

dev/feature_flags.json

@@ -1,19 +1,19 @@
 {
   "flags": {
     "bus-auth": {
-      "enabled": false,
-      "state": "off",
+      "enabled": true,
+      "state": "enforce",
       "issue": "0001",
-      "description": "Signed control-plane auth + NATS nkey auth. Rollout: off -> soft (verify+log, allow) -> enforce (reject). 'enabled' mirrors state!=off.",
+      "description": "Signed control-plane auth + NATS nkey auth. Rollout: off -> soft (verify+log, allow) -> enforce (reject). 'enabled' mirrors state!=off. Server opts in via membershipd --bus-auth; clients via client.Connect(caPath).",
       "added": "2026-06-07",
-      "enabled_at": null
+      "enabled_at": "2026-06-07"
     },
     "bus-tls": {
-      "enabled": false,
+      "enabled": true,
       "issue": "0001",
-      "description": "TLS on the NATS data plane using the project's self-signed CA (deploy/tls/). When enabled the server presents its cert and clients pin the CA.",
+      "description": "TLS on the NATS data plane using the project's self-signed CA (deploy/tls/). Server opts in via membershipd --tls-cert/--tls-key; clients pin ca.crt via client.Connect(caPath).",
       "added": "2026-06-07",
-      "enabled_at": null
+      "enabled_at": "2026-06-07"
     }
   }
 }