egutierrez
3e39e23fe0
Adds the bus-auth rollout (off|soft|enforce) to the control plane. The middleware verifies an Ed25519 request signature over CanonicalRequest (method, request-URI, ts, nonce, sha256(body)), checks the timestamp is within +/-30s, rejects replayed nonces via an in-memory TTL cache (60s), and requires the signer to be an active user in the allowlist. soft logs rejections but lets requests through so clients can migrate without an outage; off is the legacy no-op default. /healthz is exempt so health probes work before any identity exists. CanonicalRequest is exported as the single source of truth shared with the client. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>