Adds request signing and key publishing for downstream verification

[ChristianPavilonis]

Implements request signing for OpenRTB bid requests with automatic key rotation

Related Issues

• As an SSP or DSP, I would like to cryptographically validate that an impression opportunity eminating from Trusted Server is authentic #72
• As a publisher I want to introduce a simple method for downstream partners (particularly those buying impressions) to verify that I am the publisher that I say I am #71

New Endpoints

• GET /.well-known/jwks.json - Returns current public keys in JWKS format for signature verification
• POST /admin/rotate-keys - Triggers key rotation (generates new keypair, updates stores, deprecates old key)
• POST /admin/deactivate-key/:kid - Deactivates a specific key by its Key ID
• POST /admin/verify-signature - Verifies request signatures for testing/debugging

Request Signing

• All OpenRTB bid requests now include a signature in ext.trusted_server.signature and ext.trusted_server.kid
• Uses Ed25519
• Signs the request ID (bid_request.id) to ensure request authenticity

Key Rotation

Storage Model:

• Config Store (jwks_store): Stores current-kid (active key ID) and jwks (public JWKS document)
• Secret Store (signing_keys): Stores private keys indexed by KID (e.g., kid_abc123...)

Rotation Process:

1. Generates fresh keypair
2. Stores new private key in Secret Store under new KID
3. Updates current-kid in Config Store
4. Updates JWKS with both new (active) and old (deprecated) public keys
5. Cleanup endpoint removes deprecated keys from both stores

Todos

• make opt in