fix(0006d): enforce homogeneous cluster posture + publish posture on /healthz (audit 0008 N1)

A cluster is only as secure as its weakest node: the data plane forwards every
subject between nodes, so one node running without enforced auth lets an
unauthenticated peer Subscribe(">") on it and harvest the traffic forwarded from
the ACL'd nodes.

- validateClusterConfig now takes the auth mode and REFUSES to join a cluster
  unless --bus-auth enforce, regardless of bind (a clustered node is a production
  node; there is no safe dev cluster without auth). This binary therefore cannot
  BE the weak node.
- Server.Posture {enforce,acl,tls,cluster,store} is published on /healthz (non
  secret operational metadata, probe stays unauthenticated) so a monitor or peer
  can detect a cluster member not running enforce+ACL+TLS — covering a peer that
  runs a tampered/old binary outside this node's control.

Tests:
- TestAttack0008_N1: a clustered node with --bus-auth off is refused; the same
  node with enforce + full route security is allowed.
- TestClusterConfigPolicy: extended with off/soft clustered cases (refused) and
  the mode parameter throughout.
- TestHealthExposesPosture: /healthz returns the posture booleans + store backend.

CGO_ENABLED=0 go build/vet/test green; govulncheck 0 reachable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

cmd/membershipd/config_test.go

@@ -108,31 +108,40 @@ func TestBootConfigPolicy(t *testing.T) {
 // route-TLS flags are all-or-nothing regardless of bind.
 func TestClusterConfigPolicy(t *testing.T) {
 	const c, k, ca = "node.crt", "node.key", "ca.crt"
+	en := membership.AuthEnforce
+	off := membership.AuthOff
+	soft := membership.AuthSoft
 	cases := []struct {
-		name                       string
-		clusterName, bind          string
-		user, pass                 string
-		rtCert, rtKey, rtCA        string
-		wantErr                    bool
+		name                string
+		clusterName, bind   string
+		user, pass          string
+		rtCert, rtKey, rtCA string
+		mode                membership.AuthMode
+		wantErr             bool
 	}{
-		// Standalone (no cluster name) is always allowed, even on a public bind.
-		{"standalone-public", "", "0.0.0.0", "", "", "", "", "", false},
-		// Loopback dev cluster: unguarded (unreachable from outside).
-		{"loopback-cluster-bare", "unibus", "127.0.0.1", "", "", "", "", "", false},
-		// Golden: full public HA config.
-		{"public-full", "unibus", "0.0.0.0", "u", "p", c, k, ca, false},
-		// Error: public cluster without a route secret.
-		{"public-no-secret", "unibus", "0.0.0.0", "", "", c, k, ca, true},
-		{"public-half-secret", "unibus", "0.0.0.0", "u", "", c, k, ca, true},
+		// Standalone (no cluster name) is always allowed, even on a public bind and
+		// without enforce — the cluster posture rule does not apply to a single node.
+		{"standalone-public-off", "", "0.0.0.0", "", "", "", "", "", off, false},
+		// Loopback dev cluster WITH enforce: allowed (unreachable from outside).
+		{"loopback-cluster-enforce", "unibus", "127.0.0.1", "", "", "", "", "", en, false},
+		// Golden: full public HA config under enforce.
+		{"public-full-enforce", "unibus", "0.0.0.0", "u", "p", c, k, ca, en, false},
+		// N1 (audit 0008): a clustered node WITHOUT enforce is refused — even on
+		// loopback — so no weak node can join the cluster.
+		{"cluster-off-refused", "unibus", "127.0.0.1", "", "", "", "", "", off, true},
+		{"cluster-soft-refused", "unibus", "0.0.0.0", "u", "p", c, k, ca, soft, true},
+		// Error: public cluster without a route secret (enforce on, fails on secret).
+		{"public-no-secret", "unibus", "0.0.0.0", "", "", c, k, ca, en, true},
+		{"public-half-secret", "unibus", "0.0.0.0", "u", "", c, k, ca, en, true},
 		// Error: public cluster without mutual route TLS.
-		{"public-no-tls", "unibus", "10.0.0.1", "u", "p", "", "", "", true},
-		// Error: partial route-TLS flags trip regardless of bind.
-		{"loopback-partial-tls", "unibus", "127.0.0.1", "", "", c, "", "", true},
-		{"standalone-partial-tls", "", "127.0.0.1", "", "", c, k, "", true},
+		{"public-no-tls", "unibus", "10.0.0.1", "u", "p", "", "", "", en, true},
+		// Error: partial route-TLS flags trip regardless of bind/mode.
+		{"loopback-partial-tls", "unibus", "127.0.0.1", "", "", c, "", "", en, true},
+		{"standalone-partial-tls", "", "127.0.0.1", "", "", c, k, "", off, true},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			err := validateClusterConfig(tc.clusterName, tc.bind, tc.user, tc.pass, tc.rtCert, tc.rtKey, tc.rtCA)
+			err := validateClusterConfig(tc.clusterName, tc.bind, tc.user, tc.pass, tc.rtCert, tc.rtKey, tc.rtCA, tc.mode)
 			if tc.wantErr && err == nil {
 				t.Fatalf("cluster config %+v should be refused", tc)
 			}
@@ -143,6 +152,22 @@ func TestClusterConfigPolicy(t *testing.T) {
 	}
 }
 
+// TestAttack0008_N1 is the regression for audit 0008 N1 scenario 2: a node
+// configured to join a cluster while NOT enforcing auth (the weak node that lets
+// an unauthenticated peer harvest the cluster's forwarded traffic) must be refused
+// at startup. The homogeneous-posture rule makes this binary unable to BE that
+// weak node.
+func TestAttack0008_N1(t *testing.T) {
+	// Weak node: clustered but --bus-auth off -> refused.
+	if err := validateClusterConfig("unibus", "0.0.0.0", "u", "p", "n.crt", "n.key", "ca.crt", membership.AuthOff); err == nil {
+		t.Fatalf("a clustered node without enforce must be refused (audit 0008 N1)")
+	}
+	// Same node WITH enforce + full route security -> allowed.
+	if err := validateClusterConfig("unibus", "0.0.0.0", "u", "p", "n.crt", "n.key", "ca.crt", membership.AuthEnforce); err != nil {
+		t.Fatalf("a clustered enforce node with full route security must be allowed, got: %v", err)
+	}
+}
+
 func TestSplitRoutes(t *testing.T) {
 	cases := []struct {
 		in   string