Security hardening: auth, RBAC, CORS, rate limiting, validation

[sebastientaggart]

Implements all 6 security hardening tasks from issue #1:

1. Required API key — auto-generates a write-scoped key on first run if none configured; removes the no-auth bypass
2. RBAC with read/write scopes — GET routes require read, POST routes require write; read-only keys get 403 on write endpoints; supports multiple keys via config
3. CORS middleware — locked to localhost / 127.0.0.1 origins (any port)
4. Rate limiting — fixed-window per client IP, default 60 req/min, configurable via [rate_limit] rpm or DECKHAND_RATE_LIMIT_RPM
5. WebSocket first-message auth — token no longer leaked in query params; client sends {type: "auth", token: "..."} after connect, server responds auth_ok or closes with 4001
6. Input validation — action/signal payloads validated against registered payload_schema before reaching handler code; returns 422 with specific errors

Also fixes pre-existing lint issues (unused vars, stale imports) and updates bridge client + tests.

Closes #1

[sebastientaggart]

Review Summary

Verdict: APPROVE

Findings

• [WARNING] RateLimiter memory growth — RateLimiter._windows (defaultdict(list)) never evicts keys for IPs that stop making requests. Each unique client IP creates an entry that persists for the lifetime of the process. In a localhost-only deployment this is benign, but if the service is ever exposed to varied IPs (e.g., behind a proxy logging distinct X-Forwarded-For values), the dict will grow without bound. Consider periodically pruning keys whose hit list is empty after the sliding-window filter. (src/deckhand/security.py, lines 100-116)

• [WARNING] WebSocket auth does not enforce scope — The WS /events endpoint validates the API key but accepts any scope. A read-only key can subscribe to the full event stream, which may include write-side events (agent status changes, action results, etc.). If the intent is that read-scoped keys should be able to subscribe to events this is fine, but it is worth documenting explicitly since every other endpoint enforces scope. (src/deckhand/main.py, line 510)

• [NOTE] validate_payload ignores extra fields — The validator only checks declared schema fields; it does not flag unknown keys in the incoming payload. This is a reasonable "open" validation strategy but means typos in field names (e.g., actve instead of active) will be silently accepted. Acceptable as-is, just calling it out.

• [NOTE] _generated_key accessed across module boundary — main.py reads settings._generated_key (a name-mangled-by-convention private attribute). Consider exposing it via a property or a public attribute to make the API contract clearer. (src/deckhand/main.py, line 69; src/deckhand/config/settings.py)