Opaque identity token attached by the authentication layer, inserted into
request extensions. Standalone deployments populate this from the configured
key name; embedders providing their own auth populate it with whatever
caller identifier they need to attribute work against. Treat as opaque —
do not parse, sanitize, or display without intentional formatting.
Auth middleware: validates Bearer token against configured virtual keys.
Skips auth only when no admin_token is configured AND key_map is empty.
Inserts Principal into request extensions for downstream handlers.