Remove HMAC shared-secret authentication from docker-runner

[rowan-stein]

User Request

Remove HMAC shared-secret authentication (DOCKER_RUNNER_SHARED_SECRET) from the docker-runner server. Per the updated architecture (gaps/runner-hmac-removal.md), OpenZiti mTLS is now the sole authentication mechanism for Orchestrator ↔ Runner communication. The client-side (platform) was already cleaned up in agynio/platform#1401.

Specification

Scope

All changes are within agynio/docker-runner.

Files & Changes

1. Delete src/contracts/auth.ts and src/contracts/json.ts (HMAC modules)

• Delete src/contracts/auth.ts — entire HMAC signing/verification module (buildAuthHeaders, verifyAuthHeaders, signPayload, hashBody, NonceCache, extractHeader, etc.)
• Delete src/contracts/json.ts — canonical JSON serialization helper used only by auth.ts

2. src/index.ts — Remove re-exports

• Remove export * from './contracts/auth.ts'
• Remove export * from './contracts/json.ts'

3. src/service/config.ts — Remove HMAC config fields

• Remove sharedSecret from the runnerConfigSchema Zod schema
• Remove signatureTtlMs from the schema (it controls HMAC nonce TTL, no longer needed)
• Remove sharedSecret: env.DOCKER_RUNNER_SHARED_SECRET from loadRunnerConfig()
• Remove signatureTtlMs: env.DOCKER_RUNNER_SIGNATURE_TTL_MS from loadRunnerConfig()

4. src/service/grpc/server.ts — Remove HMAC verification from all RPC handlers

• Remove import { verifyAuthHeaders } from '../../index.ts'
• Remove NonceCache from the import and from the RunnerGrpcOptions type
• Remove the verifyGrpcAuth() helper function entirely
• Remove the metadataToHeaders() helper function (only used by verifyGrpcAuth)
• Remove every verifyGrpcAuth(...) call and the associated if (!verification.ok) auth guard block from all RPC handlers: ready, startWorkload, stopWorkload, removeWorkload, inspectWorkload, getWorkloadLabels, findWorkloadsByLabels, listWorkloadsByVolume, removeVolume, touchWorkload, putArchive, streamWorkloadLogs, streamEvents, exec, cancelExecution
• Remove nonceCache from the RunnerGrpcOptions type and usages
• Remove opts.config.sharedSecret references

5. src/service/main.ts — Remove NonceCache instantiation

• Remove NonceCache import
• Remove const nonceCache = new NonceCache(...) line
• Remove nonceCache from createRunnerGrpcServer() call

6. Test files — Remove HMAC references

• __tests__/helpers/grpc-test-client.ts: Remove buildAuthHeaders import and secret from createGrpcTestClient options. The metadataFor() helper should return an empty Metadata(). Remove secret parameter.
• __tests__/containers.docker.integration.test.ts: Remove NonceCache import, RUNNER_SECRET constant, sharedSecret/signatureTtlMs from config object, nonceCache creation and usage, and secret: RUNNER_SECRET from createGrpcTestClient call.
• test/e2e/docker-runner.e2e.test.ts: Remove DOCKER_RUNNER_SHARED_SECRET env check/guard and secret: sharedSecret from createGrpcTestClient call.

Key Constraints

• The gRPC server and test client should continue to function without any auth middleware — OpenZiti mTLS handles auth at the transport layer
• All existing tests must pass after cleanup
• No new authentication logic needs to be added