feat(0003a): NATS cluster routes with shared-secret auth + mutual route TLS

Add high-availability cluster support to the embedded NATS server
(issue 0003a, first phase of decentralization).

pkg/embeddednats:
- ServerConfig gains ServerName (unique per node, required by JetStream
  RAFT) and an optional *ClusterConfig (cluster name, route host/port,
  peer route URLs, shared-secret Username/Password, and a mutual-TLS
  *tls.Config). applyClusterOpts maps it onto server.Options.Cluster +
  Routes. Nil Cluster keeps the legacy standalone server.

pkg/busauth:
- RouteTLSConfig builds the route layer's mutual-TLS config: the node
  presents its CA-signed certificate AND verifies the peer's certificate
  against the bus CA (RequireAndVerifyClientCert), reusing the issue-0001
  CA. Routes authenticate NODES, never the client nkey authenticator.

cmd/membershipd:
- Cluster flags (--cluster-name/--server-name/--cluster-port/--routes/
  --cluster-user/--cluster-pass/--route-tls-cert/-key/-ca) wire a node
  into the cluster. validateClusterConfig refuses a public cluster
  without a route secret and complete mutual route TLS, and rejects
  partial route-TLS flags (all-or-nothing). splitRoutes parses the CSV.

Tests (DoD: golden + 2 edge + error path):
- TestClusterForwardsAcrossNodes: 2-node cluster forwards a client
  subject from one node to a subscriber on the other.
- TestClusterThreeNodesForward: 3-node (HA shape) cross-node forwarding.
- TestClusterMutualTLSForwards: forwarding over mutual-TLS routes.
- TestClusterRejectsBadRouteAuth: wrong cluster password -> no route.
- TestClusterRejectsUnsignedNode: cert not signed by the bus CA -> no route.
- TestClusterConfigPolicy / TestSplitRoutes: boot-guard + CSV parsing.

Master stays green: standalone (no --cluster-name) is unchanged.

cmd/membershipd/config_test.go

@@ -70,3 +70,63 @@ func TestBootConfigPolicy(t *testing.T) {
 		})
 	}
 }
+
+// TestClusterConfigPolicy is the cluster route guard (issue 0003a): a standalone
+// server is always fine; a loopback cluster is dev-only and unguarded; a public
+// cluster demands both a route secret and complete mutual route TLS; and the
+// route-TLS flags are all-or-nothing regardless of bind.
+func TestClusterConfigPolicy(t *testing.T) {
+	const c, k, ca = "node.crt", "node.key", "ca.crt"
+	cases := []struct {
+		name                       string
+		clusterName, bind          string
+		user, pass                 string
+		rtCert, rtKey, rtCA        string
+		wantErr                    bool
+	}{
+		// Standalone (no cluster name) is always allowed, even on a public bind.
+		{"standalone-public", "", "0.0.0.0", "", "", "", "", "", false},
+		// Loopback dev cluster: unguarded (unreachable from outside).
+		{"loopback-cluster-bare", "unibus", "127.0.0.1", "", "", "", "", "", false},
+		// Golden: full public HA config.
+		{"public-full", "unibus", "0.0.0.0", "u", "p", c, k, ca, false},
+		// Error: public cluster without a route secret.
+		{"public-no-secret", "unibus", "0.0.0.0", "", "", c, k, ca, true},
+		{"public-half-secret", "unibus", "0.0.0.0", "u", "", c, k, ca, true},
+		// Error: public cluster without mutual route TLS.
+		{"public-no-tls", "unibus", "10.0.0.1", "u", "p", "", "", "", true},
+		// Error: partial route-TLS flags trip regardless of bind.
+		{"loopback-partial-tls", "unibus", "127.0.0.1", "", "", c, "", "", true},
+		{"standalone-partial-tls", "", "127.0.0.1", "", "", c, k, "", true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := validateClusterConfig(tc.clusterName, tc.bind, tc.user, tc.pass, tc.rtCert, tc.rtKey, tc.rtCA)
+			if tc.wantErr && err == nil {
+				t.Fatalf("cluster config %+v should be refused", tc)
+			}
+			if !tc.wantErr && err != nil {
+				t.Fatalf("cluster config %+v should be allowed, got: %v", tc, err)
+			}
+		})
+	}
+}
+
+func TestSplitRoutes(t *testing.T) {
+	cases := []struct {
+		in   string
+		want int
+	}{
+		{"", 0},
+		{"nats://a:1", 1},
+		{"nats://a:1,nats://b:2", 2},
+		{" nats://a:1 , nats://b:2 ", 2}, // spaces trimmed
+		{"nats://a:1,,", 1},              // empty entries dropped
+		{",", 0},
+	}
+	for _, c := range cases {
+		if got := splitRoutes(c.in); len(got) != c.want {
+			t.Fatalf("splitRoutes(%q) = %v (len %d), want len %d", c.in, got, len(got), c.want)
+		}
+	}
+}