feat(auth): fast-path public components in forward-auth to reduce DB dependency

[indigo423]

Background

PR #83 moved forward-auth from startup-loaded in-memory maps to a live GetComponent DB lookup on every request (Option B). This means public-component requests — which previously bypassed the DB entirely — now pay one DB read per request.

Trade-off accepted in #83

Fail-closed behaviour is consistent and secure: a DB error returns 503 for all requests, including public packages. This was accepted as the correct default.

Enhancement

For operators running high-volume public components, add a fast-path that avoids the DB for public packages while preserving the fail-closed guarantee:

• Cache public component names in a short-TTL in-memory set (e.g. 5–30s), populated lazily on first lookup
• On cache hit: allow immediately (zero DB calls)
• On cache miss or TTL expiry: fall through to live GetComponent
• On DB error: fail-closed (503) — same as today

This would restore the pre-#83 availability profile for public-component traffic under DB transient failures, while still picking up visibility changes within one TTL window.

Acceptance criteria:

• Public-component requests survive short DB outages (< TTL duration) without returning 503
• A visibility change from public → private takes effect within one TTL window (security: no lingering open access)
• The TTL is configurable via environment variable (default: 30s)
• Unit tests cover cache hit, cache miss, TTL expiry, and DB-error fallback paths