[0.5.0][RLAC P5-followup] Document-filtering conformance + harness per-step headers

[erichare]

Follow-up to RLAC P5 (#295). P5 added cross-runtime conformance for the header-free RLAC surface — rlac-principals-lifecycle (CRUD) and rlac-policy-compile-preview (which pins the compiled filter shape {$or:[{visible_to:caller},{visible_to:"*"}]}). The visibility-filtering fixtures still need authoring:

• rlac-document-visibility-filtering — RLAC on + a policy + principals + docs with mixed visibleTo; GET /documents as alice vs bob returns only the docs each may see; POST /search merges the policy filter.
• rlac-chunk-listing-denial — GET …/documents/{id}/chunks 404s a principal who can't see the doc; 401 when no principal resolves.

These require setting the x-view-as-principal request header per step (the only way to bind a principal in the conformance harness's auth.mode: disabled). The harness doesn't support per-step headers today, so this needs a small but cross-runtime extension:

1. Add headers?: Record<string,string> to the scenario step schema (conformance-regenerate.ts Scenario).
2. Thread it through the regenerate fetcher (app.request init) and capture it in the fixture request shape.
3. Update conformance/runner.mjs runScenario + the cross-runtime fetcher signature ((method, path, body?, headers?)) — Python/Java harnesses gain an optional 4th param.
4. Author the two scenarios + regenerate.

Scoped out of P5 to avoid a cross-runtime harness-contract change at release crunch; the filtering behavior itself is covered by the TS route tests (#291/#292).

[erichare]

Auth scopes P3 (#332) hit the same harness limitation from the other side: the conformance harness runs auth:disabled and has no per-step auth-header seam, so a minted API key can't be presented to a later step either. That blocks the scope-enforcement conformance fixture (read:content→403 ingest, legacy write→201) just like it blocks RLAC x-view-as-principal document-filtering.

When the per-step headers seam lands here, it should unblock both at once. Suggest this issue's scope cover the shared seam:

• runner.mjs: resolve $N.field inside a step's optional headers (e.g. Authorization: Bearer $2.plaintext, x-view-as-principal: …).
• drift.test.ts + conformance-regenerate.ts fetchers: forward headers to app.request; allow a per-scenario authMode so enforcement scenarios boot the app in apiKey mode with a store-backed verifier.
• normalize.mjs: mask the bearer token in captured request headers (reuse the {{WB_TOKEN_N}} masking).

Scope-enforcement is currently covered by the runtime unit/integration suites (tests/auth/route-scope-resolution.test.ts, tests/mcp.test.ts); this would add the cross-runtime contract layer.