Verifiable authorization for Device Connect

[soupat]

Summary

• Add Device Mandates as opt-in verifiable authorization for protected device functions.
• Add open/closed HMAC mandate verifier, replay protection, and @requires_mandate metadata.
• Enforce mandates in DeviceRuntime direct RPC and broadcast paths before driver invocation.
• Expose mandate metadata through FunctionDef, driver collection, loaded capabilities, agent tools, and adapters.
• Add server-side mandate verification, inline execution receipts, and process-local receipt query endpoints.
• Add docs and examples for mandate usage.

Validation

• PYTHONPATH=. pytest tests -q from packages/device-connect-edge: 530 passed
• PYTHONPATH=../device-connect-edge:. pytest tests --ignore=tests/test_integration.py -q from packages/device-connect-agent-tools: 217 passed
• Focused adapter suite: 30 passed
• Server mandate/receipt helper suite: 6 passed
• Ruff passed on touched files
• Local D2D smart-lock demo validated over NATS using current edge + agent-tools branch code

Notes

• Mandates are opt-in: unprotected functions continue to invoke normally; protected functions marked with @requires_mandate fail closed without a valid mandate.
• Current crypto profile is device-connect-hmac-v0 for the working slice. Production should move to Ed25519/COSE-style public-key signatures, durable receipt storage, and distributed replay protection.
• Full portal endpoint test collection is blocked locally by missing aiohttp_jinja2 in this environment.