feat(server): declare gRPC auth (mode + scope + role) at the handler, enforce at the router

[mrunalp]

Summary

Move gRPC auth metadata (auth mode, Bearer scope, required role) from four
hand-maintained constants into per-handler #[rpc_auth(...)] annotations
generated by a new proc macro, and close the asymmetric router enforcement
where a Principal::User could reach handlers intended for sandbox
supervisors. A descriptor-set-driven exhaustiveness test pins the surface
so a new RPC can't silently fall back to openshell:all.

Related Issue

Fixes #1586

Changes

• New proc-macro crate openshell-server-macros exposing #[rpc_authz]
  (impl-level) and #[rpc_auth] (per-method) attributes. First proc macro
  in the workspace; intentionally small and focused on auth metadata.
• Per-handler annotations on every RPC in OpenShellService and
  InferenceService, declaring auth = "unauthenticated" | "sandbox" | "bearer" | "dual" and (when bearer / dual) the required scope and
  role. The macro derives canonical gRPC paths from the proto service
  name + PascalCased method name, so paths cannot drift from the proto.
• Aggregator + lookup in auth/method_authz.rs exposing
  lookup, required_scope, required_role, is_unauthenticated,
  is_sandbox_callable, and the new is_user_callable. Single source of
  truth for the four old constants.
• Router-side AuthMode check in multiplex.rs: Principal::User is
  now rejected with PermissionDenied: this method requires a sandbox principal for methods declared sandbox (and for unauthenticated
  methods which would already short-circuit). Mirrors the existing
  is_sandbox_callable check on Principal::Sandbox. Closes the gap
  where GetSandboxProviderEnvironment, ReportPolicyStatus,
  SubmitPolicyAnalysis, PushSandboxLogs, ConnectSupervisor, and
  RelayStream were reachable by a user token because their handlers
  use ensure_sandbox_scope (which intentionally lets users through) or
  no guard at all.
• Deleted SCOPED_METHODS and ADMIN_METHODS from auth/authz.rs,
  UNAUTHENTICATED_METHODS from auth/oidc.rs, and
  ALLOWED_SANDBOX_METHODS from auth/sandbox_methods.rs. Their public
  predicates (is_unauthenticated_method, is_sandbox_callable) now
  delegate to the aggregator; the existing unit tests keep passing.
  UNAUTHENTICATED_PREFIXES stays — prefix matching for
  /grpc.reflection.* and /grpc.health.* is structural, not per-method.
• Compile-time enforcement. #[rpc_authz] fails compilation on:
  missing #[rpc_auth], scope/role on unauthenticated/sandbox
  methods, missing scope/role on bearer/dual methods, duplicate
  gRPC paths within a service, duplicate keys inside one #[rpc_auth],
  and invalid auth mode/role strings.
• Descriptor-set exhaustiveness test. openshell-core/build.rs now
  calls tonic_build::configure().file_descriptor_set_path(...) and
  exposes openshell_core::FILE_DESCRIPTOR_SET. A new test in
  openshell-server enumerates every (service, method) from the
  descriptor and asserts it is covered exactly once by a MethodAuth
  entry. Catches new RPCs without annotations, stale annotations after
  renames, and duplicates across services.
• Router regression test asserting an openshell-admin + openshell:all
  bearer user is denied on each sandbox-annotated method.

Auth model

Auth mode	Principal::Sandbox accepted?	Bearer accepted?	Scope applies?	Role applies?
unauthenticated	n/a	n/a	no	no
sandbox	yes	no	no	no
bearer	no	yes	yes	yes
dual	yes	yes	Bearer path only	Bearer path only

sandbox here refers to the per-sandbox gateway-minted JWT introduced in
#1404 — the old shared sandbox secret no longer exists. A handler
annotated sandbox authenticates as a specific Principal::Sandbox.

Backwards compatibility

Visible behavior changes for deployed gateways:

• Six methods (GetSandboxProviderEnvironment, ReportPolicyStatus,
  SubmitPolicyAnalysis, PushSandboxLogs, ConnectSupervisor,
  RelayStream) start rejecting Bearer users at the router. Nothing in
  the CLI or any user-facing flow calls them; only sandbox supervisors
  do, via the per-sandbox JWT path.
• A handful of provider-profile methods and ExecSandboxInteractive that
  previously fell back to openshell:all now have explicit scope/role
  declarations. openshell:all tokens still work; provider:read-only
  tokens gain access to ListProviderProfiles / GetProviderProfile.

Testing

• mise run pre-commit passes (rust:lint, rust:format, rust:check,
  helm:lint, helm:docs:check — all green; the only mise run ci failures
  are markdown lint errors in pre-existing files outside this branch).
• Unit tests added/updated:
  • auth::method_authz::tests — three exhaustiveness tests
    (every_proto_rpc_has_an_annotation,
    every_annotated_path_matches_a_real_rpc,
    no_duplicate_paths_across_services) plus user_callable_matches_auth_mode.
  • multiplex::tests::auth_router::user_principal_is_denied_on_sandbox_only_methods
    — proves the router rejects admin + openshell:all on all nine
    sandbox-only methods.
  • Existing tests in authz.rs, oidc.rs, sandbox_methods.rs,
    multiplex.rs continue to pass against the new aggregator.
• E2E tests added/updated (if applicable): N/A — no new e2e harness
  added in this PR; existing e2e:kubernetes smoke run continues to
  exercise the auth path through the gateway.
• Full workspace test suite: 2509 tests pass, 0 failures.

Manual verification

Verified end-to-end against a local OIDC + Keycloak deployment.

Method	Before this PR	After this PR
GetSandboxProviderEnvironment	NotFound: sandbox not found (handler reached, store queried)	PermissionDenied: this method requires a sandbox principal
ReportPolicyStatus	InvalidArgument: sandbox_id is required	PermissionDenied
SubmitPolicyAnalysis	InvalidArgument: name is required	PermissionDenied
PushSandboxLogs	{} — stream accepted, push succeeded	PermissionDenied
ConnectSupervisor	InvalidArgument: expected SupervisorHello (bidi opened)	PermissionDenied
RelayStream	InvalidArgument: first RelayFrame must be init… (bidi opened)	PermissionDenied
IssueSandboxToken / RefreshSandboxToken / GetInferenceBundle	PermissionDenied (handler-level guard)	PermissionDenied (router-level)

Positive paths (reader token can ListSandboxes, writer token reaches
CreateSandbox validation, admin + provider:write can CreateProvider
/ ListProviders / DeleteProvider, scope-only and role-only denials
return the existing AuthzPolicy messages) are unchanged.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[TaylorMutch]

/ok to test 5de68c4

[TaylorMutch]

/ok to test a8f611e

[github-actions]

Label test:e2e applied for a8f611e. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.

[TaylorMutch]

/ok to test cd2669f