67cedf9bba
Add docs/auth.md describing the default-open auth/authz design: service account and user principals, hashed bearer tokens, a path+capability ACL model (read/write/delete/create), an observe-only enforcement middleware gated by AUTH_ENFORCE, Vault mint/revoke integration with a companion vault-plugin-secrets-artifactapi engine, OIDC/LDAP user login, and a phased delivery plan. Refs #79