ingest-router: Verify incoming project configs requests

[lynnagara]

The handler trait now defines a requires_relay_auth function.

When set to true by a specific handler (like project configs) - the Relay verifier will verify the incoming request against it's statically configured relay keys, before it is forwarded upstream. relay_keys is now a required property of the ingest-router configuration. Signatures that can't be matched against this list return 401.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4db31aa. Configure here.}

[sentry]

Bug: The new relay_keys config field is missing #[serde(default)], which will cause service startup to fail with existing configurations that don't have this field.
_{Severity: CRITICAL}

Suggested Fix

Add the #[serde(default)] attribute to the relay_keys field in config.rs. This will make the field optional during deserialization, allowing the service to start with older configuration files.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: ingest-router/src/config.rs#L192

Potential issue: The `relay_keys` field in the configuration struct is missing the
`#[serde(default)]` attribute. This makes the field mandatory during deserialization.
Consequently, deploying the service with an existing configuration file that lacks this
new field will cause a deserialization error, leading to a service startup failure. This
breaks backward compatibility for existing deployments.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[lynnagara]

there aren't any existing deployments we need to maintain compatibility with

[sentry]

Bug: The relay_keys field in the config struct is a HashMap without #[serde(default)]. Deserialization will fail if the YAML key is present but has a null value.
_{Severity: CRITICAL}

Suggested Fix

Add the #[serde(default)] attribute to the relay_keys field in the Config struct. This will instruct serde to create a default, empty HashMap when the key is missing or its value is null, preventing the deserialization from failing.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: ingest-router/src/config.rs#L192

Potential issue: The `relay_keys` field in the `Config` struct is a `HashMap` but lacks
the `#[serde(default)]` attribute. When `serde_yaml` attempts to deserialize a
configuration where the `relay_keys` key is present but has no value (e.g., it's null or
all sub-keys are commented out), the deserialization will fail with an "invalid type:
unit value, expected a map" error. This will cause a panic at service startup. This
scenario is present in both the unit test `test_parse_valid_config` and the
`example_config_ingest_router.yaml`, making startup failure highly likely for users
following the example.

Also affects:

• example_config_ingest_router.yaml:10~10
• ingest-router/src/config.rs:355~355