epic: hosted authsome with DID identity and hosted proxy

[manojbajaj95]

Goal

Ship a hosted authsome deployment where multiple users can safely use a shared daemon, authenticate with DID-backed proof-of-possession requests, keep credentials isolated, share server-owned OAuth app credentials, and optionally use a server-side hosted proxy.

Status

Blocked. This epic should not be implemented until the prerequisite identity, profile, storage, OAuth client-scope, and session-safety issues are complete.

Prerequisites

• epic: replace default profile with DID-verified multi-profile identity #236 - Replace default profile with DID-verified multi-profile identity
• feat: --profile global CLI flag + profile subcommand group #183 - Global --profile flag and profile subcommands
• feat: identity/DID middleware — bearer token resolves to user identity per request #168 - DID/request identity middleware; per-request AuthService
• feat: per-user storage partitioning for hosted deployment #169 - Per-user storage partitioning for hosted deployment
• fix: move ProviderClientRecord to server scope (server:<provider>:client) #170 - Move ProviderClientRecord to server scope
• fix: enforce session ownership on auth session routes #171 - Enforce session ownership on auth session routes
• feat: hosted proxy — server-side mitmproxy (Option A) #172 - Hosted proxy, server-side mitmproxy

In Scope

• Hosted daemon with authenticated CLI/proxy callers
• Request-scoped identity from verified DID/PoP JWT
• Per-user credential isolation
• Server-scoped OAuth client credentials
• Session ownership checks
• Hosted proxy design and implementation if hosted proxy is part of the first hosted release

Out of Scope

• Passport registration
• Shared profile delegation
• Postgres storage backend unless a separate issue promotes it
• KEK/DEK passphrase wrapping unless required by deployment policy

Acceptance Criteria

• Missing or invalid caller proof is rejected for credential-touching routes
• Two users cannot read or mutate each other's credentials or sessions
• OAuth client credentials are shared server-wide, not user-scoped
• Local single-user mode still works
• Hosted deployment docs describe setup, trust model, proxy mode, and known limitations

Notes

This issue intentionally sits above #236. #236 owns the DID-backed identity/profile change; this epic tracks the broader hosted product shape across identity, storage, OAuth client scope, session security, and proxy operations.