fix(training-agent): PostgresReplayStore so vector 016 catches cross-instance replays

[bokelley]

What and why

#3346 closed the cross-route replay bug but adcp grade request-signing vector 016 (replayed-nonce) still failed in prod. Root cause: Fly runs min_machines_running = 2 web machines and the per-process InMemoryReplayStore can't see across machines. Probe 1 hits machine A and consumes the nonce; probe 2 gets routed to machine B by Fly's LB, machine B has never seen the nonce locally, accepts.

Swaps to PostgresReplayStore from @adcp/client/signing/server (shipped in adcp-client#1018, 5.21.0+). All instances share one adcp_replay_cache table; the (keyid, scope, nonce) primary key serializes concurrent inserts and ON CONFLICT DO NOTHING returns 'replayed' on the second submission.

What's in this PR

• Migration 447_adcp_replay_cache.sql — (keyid, scope, nonce) PK + expires_at TTL column + two supporting indexes. Schema mirrors the SDK's getReplayStoreMigration() exactly.
• getReplayStore() singleton in request-signing.ts shared across all per-route authenticators (default / strict / strict-required / strict-forbidden). Safe to share because (keyid, scope, nonce) already partitions by route via the @target-uri-derived scope.
• startReplayCacheSweeper() wired in index.ts boot path — runs sweepExpiredReplays(pool) every 60s with an unref'd interval (won't keep the loop alive on shutdown). Postgres has no native TTL; without sweeping the table grows unboundedly.

Test plan

• tsc --noEmit clean
• server/tests/integration/training-agent-strict.test.ts 15/15 pass (no regression)
• Post-deploy: npx adcp grade request-signing https://agenticadvertising.org/api/training-agent/mcp-strict --transport mcp --skip-rate-abuse --only 016-replayed-nonce → expect PASS

Closes

#3338 (the remaining cross-instance piece). #3346 closed the cross-route piece earlier.

Sibling work

Upstream adcp-client#1018 is the SDK side that made this trivial — three months of in-flight work landed in 5.21.0 just before we needed it.

[bokelley]

Post-deploy verification — completed.

Ran the full grader against /api/training-agent/mcp-strict after the post-#3351 deploy (commit 2bb3dcd) landed:

npx adcp grade request-signing https://agenticadvertising.org/api/training-agent/mcp-strict --transport mcp --skip-rate-abuse
→ 31 passed, 2 failed, 6 skipped

Specifically:

• neg/016-replayed-nonce PASS — 401 request_signature_replayed. The PostgresReplayStore catches the cross-instance replay this PR was filed to fix.
• All 8 graded positive vectors pass (the 4 marked SKIP are mcp_mode_flattens_url_edges, not failures).
• Manual cross-check via .context/demo-signing.mjs against prod: valid signature → 200, replay → 401-replayed, malformed header → 401-malformed, body tampered → 401-digest-mismatch, unsigned → 401-required. All five behaviors as expected.

The two remaining neg/007 and neg/018 failures are the capability-semantics vectors covered separately by #3340 — they PASS on the dedicated /mcp-strict-required and /mcp-strict-forbidden routes:

npx adcp grade request-signing .../mcp-strict-required --only 007-missing-content-digest → PASS (401 request_signature_components_incomplete)
npx adcp grade request-signing .../mcp-strict-forbidden --only 018-digest-covered-when-forbidden → PASS (401 request_signature_components_unexpected)

Net: 33/33 graded vectors pass across the four strict-mode routes, closing #3338.

[bokelley]

Verification noted — 33/33 graded vectors passing across all four strict-mode routes, #3338 closed. Thanks for the thorough post-deploy rundown.

---

Generated by Claude Code

[bokelley]

Glad the verification landed cleanly — 33/33 across all four routes is a solid close on #3338. Nothing further from me here.

---

Generated by Claude Code

[bokelley]

Acknowledged — 33/33 is a clean close. Nothing further needed here either.

---

Generated by Claude Code

[bokelley]

Noted — closed cleanly, nothing queued on my end either.

---

Generated by Claude Code