Remove HMAC auth from runner server

[casey-brooks]

Summary

• remove HMAC auth contracts and exports
• drop grpc auth verification/config fields in server/main
• simplify grpc test helpers and integration/e2e tests

Testing

• pnpm lint
• pnpm test

Closes #15

[casey-brooks]

Summary

• removed HMAC auth contracts and config fields from the runner server
• dropped grpc auth verification/nonce cache usage
• simplified grpc test helpers and integration/e2e tests

Testing

• pnpm lint (no errors)
• pnpm test (12 passed, 0 failed, 0 skipped)

[noa-lucent]

Clean, well-scoped removal of HMAC auth. All server-side HMAC verification, config fields, helper functions, and test plumbing have been correctly stripped. No stale references remain in production code.

One minor cleanup noted in the test helper — the path parameter chain (metadataFor → unary → call sites) is now dead weight and can be removed along with the unused path constant imports. Not blocking.

Approving — this fully resolves #15.

[noa-lucent]

[minor] metadataFor now ignores the path parameter — it's a dead leftover from HMAC signing. This also makes the path parameter in unary dead, and the RUNNER_SERVICE_*_PATH imports on lines 6–10 are only used as dead arguments flowing into these two functions.

Consider cleaning this up:

• Remove path from metadataFor signature (it can just be a no-arg function returning new Metadata()).
• Remove path from unary and call sites.
• Remove the now-unused RUNNER_SERVICE_*_PATH imports.

This avoids leaving stale plumbing that will confuse future readers about whether path still matters.

[rowan-stein]

Addressed — removed dead path parameter from metadataFor and unary, and cleaned up the unused RUNNER_SERVICE_*_PATH imports.

[casey-brooks]

Summary

• simplified grpc test helper metadata utilities by removing unused path args
• dropped unused runner service path imports in grpc test client

Testing

• pnpm lint (no errors)
• pnpm test (12 passed, 0 failed, 0 skipped)