feat(auth): plumb --verify-sigv4 and --iam flags through DispatchConfig

[vieiralucas]

Summary

First batch of the opt-in SigV4 verification + IAM policy enforcement work. This PR only plumbs the flags — nothing is enforced yet, existing behavior is unchanged.

• New fakecloud_core::auth module with IamMode (off/soft/strict) and is_root_bypass (matches test* AKIDs case-insensitively — the community-standard local-dev convention used by LocalStack and Floci).
• DispatchConfig gains verify_sigv4: bool and iam_mode: IamMode.
• CLI exposes --verify-sigv4 / FAKECLOUD_VERIFY_SIGV4 and --iam off|soft|strict / FAKECLOUD_IAM.
• Startup WARN when either feature is turned on, noting that test credentials bypass both checks — so users don't get false-positive "my policies work" results from unsigned test clients.

Roadmap context

This is batch 1 of 9:

1. This PR — config flags + root-bypass predicate
2. STS temp credential secret persistence (prereq for verification)
3. SigV4 cryptographic verification via aws-sigv4
4. Principal resolution + request-context enrichment
5. IAM policy evaluator (Phase 1: identity policies, Allow/Deny, wildcards)
6. Enforcement wiring + ServiceMetadata
   7-8. Per-service action_to_iam mappings + resource extractors
7. Docs + README

Also sets up the shape for #381 (multi-account isolation): the new types are designed so account_id will flow from the credential's owning account rather than from global config once later batches land.

Test plan

• cargo test -p fakecloud-core auth:: — 9 tests
• cargo test -p fakecloud-core dispatch::tests:: — 2 tests
• cargo test -p fakecloud cli:: — 4 tests (CLI flag parsing)
• cargo clippy --workspace --all-targets -- -D warnings clean
• cargo fmt --check clean
• Manual: fakecloud --iam strict --verify-sigv4 prints the startup WARN and otherwise behaves identically to before

---

Summary by cubic

Adds opt-in SigV4 verification and IAM policy evaluation flags, wired from the CLI/env into DispatchConfig. Defaults are off; no request behavior changes. Also fixes a crash in is_root_bypass with non-ASCII AKIDs.

• New Features

  • New fakecloud_core::auth with IamMode (off/soft/strict) and is_root_bypass for test* AKIDs.
  • DispatchConfig adds verify_sigv4: bool and iam_mode: IamMode.
  • CLI: --verify-sigv4 (FAKECLOUD_VERIFY_SIGV4) and --iam off|soft|strict (FAKECLOUD_IAM).
  • Startup WARN when enabled, noting test credentials bypass verification and IAM checks.

• Bug Fixes

  • Prevent UTF-8 boundary panic in is_root_bypass by using str::get(..4); added regression tests.

^{Written for commit ba06607. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 5 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="crates/fakecloud-core/src/auth.rs">

<violation number="1" location="crates/fakecloud-core/src/auth.rs:106">
P2: `trimmed[..4]` panics on non-ASCII input when byte index 4 falls inside a multi-byte character. Use `str::get(..4)` for a safe, non-panicking slice that also simplifies the function.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}