Add authenticated attestation agent and pass real request metadata to OPA

[haasonsaas]

Context

Keep is a PoC zero-trust access stack (Envoy + OPA + device posture). The README explicitly marks it "NOT FOR PRODUCTION USE" but two gaps are blockers for any production consideration.

Problems

1. Unauthenticated device posture updates

The device attestation agent sends posture data to the inventory service without any verification. An attacker can forge device posture to bypass access policies. This is the critical gap before any production consideration.

2. OPA receives hardcoded request metadata

evaluateOPA hardcodes "/" and "GET" for request path/method — never passes actual request metadata from the Envoy ext_authz request. This means path-based and method-based policies are impossible.

Requirements

• Implement agent authentication: mint and verify agent certificates or tokens during attestation
• Sign posture reports with the agent's credential so the server can verify they came from the registered device
• Pass actual request path, method, and headers from ext_authz to OPA policy evaluation
• Add rate limiting on posture update endpoint
• Document the relationship with gate (keep = inbound zero-trust for internal services, gate = outbound privileged access proxy)

Open question

Issue #47 (Research: Study Teleport certificate-based auth model) suggests the team is evaluating alternatives. Should keep be promoted to production, or will Teleport replace it? An architectural decision record would help.