agent: activate session-caller binding via opt-in per-peer tokens (#110a, safe slice of #110d)

[mbertschler]

What & why

Issue #110 is a cluster of HTTP-agent hardening gaps. Findings 9a, 9b, 9c
were already implemented and merged in PR #119 (origin/main). This PR lands
the safe, incremental slice of 9d that makes the dormant 9a session-caller
binding actually fire, and binds a declared node name to its credential.

Today the agent authenticates every caller with one shared token, so
callerNodeName(req) returned "" and the 9a lookupSession/takeSession
caller-binding — built and unit-tested in #119 — was inert in production. This
PR gives the agent a way to recover an authenticated node identity, turning that
protection on.

Per finding

• 9a — session bound to caller — ACTIVATED. requireBearer now resolves a
  presented token to a node identity (when per-peer tokens are configured),
  stamps it on the request context, and callerNodeName reads it back. The
  already-present session binding then rejects a phase call
  (/plan//verify//close//plan-folders) whose authenticated identity
  differs from the node that opened the session — so a second token-holder can no
  longer hijack or /close status=failed-abort another node's in-flight sync.
  (Mechanism was merged in Harden peer-sync receiver: origin poisoning, history loss, agent DoS (#105 #106 #110a-c) #119; this PR makes it enforce.)
• 9b — peer:// placeholder upgrade — already fixed (Harden peer-sync receiver: origin poisoning, history loss, agent DoS (#105 #106 #110a-c) #119), untouched.
  Receiver passes allowEndpointUpgrade=false; peerEndpoint ignores the wire
  InitiatorEndpoint.
• 9c — request body size limit — already fixed (Harden peer-sync receiver: origin poisoning, history loss, agent DoS (#105 #106 #110a-c) #119), untouched.
  decodeJSON wraps the body in http.MaxBytesReader (256 MiB) and /plan
  caps len(Entries) at 1<<20. The OOM vector is closed regardless of the
  deliberately-omitted ReadTimeout (streaming negotiation needs no wall clock;
  rationale is in agent/serve.go).
• 9d — single token / identity unbound — PARTIAL (safe increment); rest DEFERRED.
  • Done here: optional [agent.auth.peers.<node>] bearer = ... map (literal
    or { env }), wired to agent.Config.PeerTokens. When configured, a token
    maps to a node identity (constant-time shared-token check preserved; per-peer
    set keyed by SHA-256 digest). /begin also refuses a declared
    initiator_node_name that contradicts the authenticated identity, binding the
    declared name to the credential.
  • Deferred (warrants its own design discussion): making per-peer tokens
    mandatory / removing the shared token; per-volume scoping of a credential;
    rotating-token / revocation story. These are larger and out of scope here.

Known limitation (by design, flagged for sign-off)

This increment is opt-in and backward compatible: with no [agent.auth.peers]
configured the agent behaves exactly as before (single shared token, no binding).
A holder of the shared token still authenticates with no identity and so can
still drive any session — strict binding only applies to per-peer-token callers.
Closing that gap (shared-token removal + volume scoping) is the deferred part of
9d above.

Tests

• config: per-peer token resolution incl. env secrets; rejection of
  duplicate tokens, collision with the shared token, empty bearer, invalid node
  name; absent map leaves PeerTokens nil.
• agent: authenticator.authenticate resolution table; end-to-end
  TestPeerTokenSessionBinding (intruder token → 403 on /verify, owner →
  200); TestBeginRejectsImpersonatedNodeName (declared name ≠ credential → 403).

go vet ./..., go test ./..., golangci-lint run all green. No schema change.

Refs #110 (does not fully close it — 9d's larger redesign is deferred).