Document authentication and TLS requirements in proto comments

[lanycrost]

Problem statement

The gRPC service definitions (TransportConnectorService and HubService) contain no authentication, authorization, or TLS requirements in their documentation. All four streaming RPCs are defined without security annotations or guidance. Implementations may omit security controls if the contract doesn't specify them.

Additionally:

• metadata map fields don't warn against storing secrets
• BindingInfo.endpoint accepts arbitrary protocol schemes with no guidance on allowed formats
• No minimum TLS version is documented

Proposed change

Add security documentation to proto comments:

// TransportConnectorService is the connector-side transport contract.
//
// Security requirements:
//   - Production deployments MUST use TLS 1.3 or mTLS.
//   - Connectors authenticate via binding-scoped tokens carried in gRPC metadata.
//   - Insecure connections are permitted only in development environments.
service TransportConnectorService {
  // ...
}

Add metadata warnings:

// metadata carries story, run, step, or provider-specific routing hints.
// Do not store secrets, credentials, or PII in metadata — it may be
// logged, traced, or forwarded to downstream systems.
map<string, string> metadata = 4;

Add endpoint format guidance:

// endpoint is the connector dial target. Accepted schemes: unix:// and tcp://.
// Implementations should reject other schemes and block RFC 1918 / cloud
// metadata addresses in production.
string endpoint = 3;

Affected area

• Proto definitions

Compatibility / migration

Comment-only change. No wire or code impact.

Additional context

Identified during security review. The contract layer is the right place to document security expectations because every downstream consumer reads the proto files.