[codex] Apply Cedar authorization consistently to TData

[arun-pathiban-ddog]

Summary

• add shared Cedar enforcement helpers for TData entity operations
• authorize entity reads, list results, navigation expansions, streams, CRUD mutations, PG actor actions, and raw blob ingestion consistently
• keep collection filtering, paging, $count, and $select authorization-correct

Root Cause

Cedar authorization was applied to bound-action POST handling, but normal read routes and several mutation/stream fast paths could return or change entity data without going through the same policy evaluation boundary. Optimized list pagination and projection also could not be safely reused once per-row Cedar checks became mandatory.

Impact

Entity reads now require read, collections require list and filter rows through read, and collection expansions require list before child reads. Normal creates, updates, deletes, stream uploads/downloads, and raw content-addressed ingestion now enforce the matching Cedar action. Denied writes continue to record authorization decisions.

Discovery endpoints such as the service document, $metadata, and $hints remain discovery surfaces; /tdata/$events already uses its read_events authorization gate.

Validation

• cargo check -p temper-server --features sim
• cargo test -p temper-server --features sim --test odata_read --test file_value_fast_path
• cargo test -p temper-server --features sim --lib
• git diff --check