Add HMAC auth, user permissions, snake_case rename

Each request is signed with HMAC-SHA256 over timestamp+body using a
per-user secret loaded from a --secrets file (never env vars or git).
Users have a canApprove list controlling who may approve queued actions.
Queue entries track submitted_by for permission checks on approve/deny.

Also renames all identifiers to snake_case throughout the codebase.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

client/auth.mjs

@@ -0,0 +1,13 @@
+import { createHmac } from "crypto";
+
+export function sign_request(secret, username, body_string) {
+	const timestamp = String(Date.now());
+	const signature = createHmac("sha256", secret)
+		.update(timestamp + "." + body_string)
+		.digest("hex");
+	return {
+		"X-Conduit-User":      username,
+		"X-Conduit-Timestamp": timestamp,
+		"X-Conduit-Signature": signature,
+	};
+}