feat(rpc): require auth for OL transaction submission

[storopoli]

Description

Moves strata_submitTransaction off the unauthenticated public Strata RPC listener and onto a dedicated authenticated submit RPC listener. The public OL RPC surface is now read-only, while the submit listener preserves the existing JSON-RPC method name and uses bearer-token auth.

This also adds submit RPC configuration, validation, alpen-client submit endpoint handling, and functional harness/docker updates so internal transaction submission uses the authenticated submit endpoint.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature/Enhancement (non-breaking change which adds functionality or enhances an existing one)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactor
• New or updated tests
• Dependency Update

Notes to Reviewers

The public RPC listener no longer registers strata_submitTransaction. Sequencer deployments now require a non-empty submit RPC bearer token, and public/admin/submit RPC ports must all be distinct by port number.

AI was used to assist in this PR.

Is this PR addressing any specification, design doc or external reference document?

• Yes
• No

If yes, please add relevant links:

Checklist

• I have performed a self-review of my code.
• I have commented my code where necessary.
• I have updated the documentation if needed.
• My changes do not introduce new warnings.
• I have added (where necessary) tests that prove my changes are effective or that my feature works.
• New and existing tests pass with my changes.
• I have disclosed my use of AI in the body of this PR.

Related Issues

STR-3548

[github-actions]

Commit: bf44454

SP1 Execution Results

program	cycles	gas
EVM EE Chunk	565,596	771,682
EVM EE Account	421,125	526,509
Checkpoint	2,241,398	2,582,981

[codecov]

Codecov Report

❌ Patch coverage is 97.87234% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.78%. Comparing base (d2f195d) to head (3d54e6d).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
bin/alpen-client/src/rpc_client.rs	96.49%	2 Missing ⚠️
bin/strata/src/rpc/mod.rs	95.45%	2 Missing ⚠️
bin/alpen-client/src/main.rs	88.88%	1 Missing ⚠️

@@            Coverage Diff             @@
##             main    #1844      +/-   ##
==========================================
- Coverage   79.84%   79.78%   -0.07%     
==========================================
  Files         674      674              
  Lines       74711    74927     +216     
==========================================
+ Hits        59654    59781     +127     
- Misses      15057    15146      +89     

Flag	Coverage Δ
functional	60.21% <80.15%> (-0.21%)	⬇️
unit	65.66% <71.48%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
bin/strata/src/args.rs	100.00% <100.00%> (ø)
bin/strata/src/context.rs	92.63% <100.00%> (+0.96%)	⬆️
bin/strata/src/rpc/auth.rs	98.52% <100.00%> (ø)
bin/strata/src/rpc/node.rs	80.51% <100.00%> (-0.52%)	⬇️
crates/config/src/config.rs	98.90% <100.00%> (+0.08%)	⬆️
bin/alpen-client/src/main.rs	91.56% <88.88%> (-0.07%)	⬇️
bin/alpen-client/src/rpc_client.rs	94.82% <96.49%> (+0.38%)	⬆️
bin/strata/src/rpc/mod.rs	90.69% <95.45%> (+1.10%)	⬆️

... and 20 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[delbonis]

One note.

[delbonis]

I think you could avoid having to roll this on your own, unless there's some annoying reason about how it's inside jsonrpsee: https://matze.github.io/axum-notes/notes/auth/with_tower_http/index.html

[krsnapaudel]

LGTM. Thanks.

[bewakes]

This looks good generally. One config concern I see: a separate host/port per RPC category(admin, submit, general) feels redundant because there's more to configure, document and easier to misconfigure.

A port is worth it when we need network-level isolation. This is true for admin/debug related endpoints but not for read/submit neither of which are privileged. Isolating read/submit from each other doesn't buy much. I'd collapse these to two ports: admin/debug and non-admin(submit included) and make non-admin auth method-specific instead of port-specific.

The tradeoff here is that with method level auth we need to do it for every method we want to have auth whereas for port level, we just need to do it once.

Reminder to update the deployment docs after the PR lands.

[storopoli]

@purusang or @alexhui01 take a look at this? Testnet blocker