Authenticate Redis event envelopes with HMAC-SHA256 and require shared secret

[twisti-dev]

Motivation

• Close a trust boundary in the Redis event bus by preventing unauthenticated pub/sub messages from being accepted as authoritative application events.
• Ensure events published over the shared surf-redis:events channel cannot be forged to invoke privileged handlers.
• Fail closed on missing configuration so the bus does not silently accept unsigned messages.

Description

• Add a required shared secret read from SURF_REDIS_EVENT_SECRET (environment) or -Dsurf.redis.event.secret (JVM property) and validate it at startup in RedisEventBusImpl.
• Extend the wire EventEnvelope with a signature field and implement HMAC-SHA256 signing/verification using javax.crypto.Mac and Base64 encoding for outbound publishes and inbound validation.
• Reject inbound envelopes whose signature does not verify before performing event-class lookup, deserialization, or dispatch, and sign outbound envelopes in publish using the configured secret.
• Use a simple payload composition of "$eventClass:$eventData" for the HMAC input and log/reject invalid or unknown event types while preserving existing registration/dispatch semantics.

Testing

• Attempted automated build with ./gradlew :surf-redis-core:compileKotlin, which was executed in this environment and failed.
• The build failure is due to the repository Gradle plugin requiring a newer JVM (Java 25) while the runner environment provides Java 21, so compilation/tests could not be completed here.
• No other automated tests were run in this environment because of the JVM/tooling mismatch.

---

Codex Task