feat(deploy): API-key identity webhook for remote signer

[eliteprox]

Summary

Adds the NodeJS identity webhook for remote signer to authenticate remote signing requests. Initial implementation with simple api-key authentication adapter.

• identity-webhook — in-compose Node service using builder-sdk API-key provider (not Auth0/OIDC). Resolves sk_* keys from DEMO_API_KEY / DEMO_API_KEYS env.
• Signer wiring — remote-signer depends on identity-webhook; default REMOTE_SIGNER_WEBHOOK_URL=http://identity-webhook:8090/authorize.

Stack

identity-webhook → remote-signer → Kafka → openmeter-collector

No local identity DB — stateless API-key lookup from env.

Quick start

cp deploy/.env.example deploy/.env

docker compose -f deploy/docker-compose.yml --env-file deploy/.env up -d --build \
  kafka identity-webhook remote-signer

Validate webhook authentication response

docker compose -f deploy/docker-compose.yml --env-file deploy/.env exec identity-webhook \
  curl -sS -X POST http://localhost:8090/authorize \
    -H "Authorization: Bearer dev-webhook-secret-change-me" \
    -H "Content-Type: application/json" \
    -d '{"headers":{"Authorization":["Bearer sk_demo_local_key"]}}'

Test plan

• docker compose … up -d --build — identity-webhook and remote-signer healthy
• curl /authorize via docker compose exec identity-webhook returns auth_id: demo-client:demo-user
• remote-signer starts without manual REMOTE_SIGNER_WEBHOOK_URL override
• Signer port 8081 published; CLI port 4935 not published