Implements plan §13.21 auth model layer 1 - when search UI is first
enabled for an index, the orchestrator now creates a scoped search-only
key on every Meilisearch node via POST /keys with actions: [search],
indexes scoped. The key is stored in Redis hash with metadata
(primary_uid, rotated_at, generation) for retrieval at request time.
Changes:
- Add imports for MeilisearchClient and mint_scoped_key
- Implement get_or_create_scoped_key to create keys when needed
- Store new keys in Redis via set_search_ui_scoped_key
- Return the scoped key for use in JWT session minting
The scoped key has a hard expiration of scoped_key_max_age_days (60d
default) and will be auto-rotated by the background rotation loop at
scoped_key_rotate_before_expiry_days (30d default) - see P10.5 for
the rotation coordination implementation.
Closes: miroir-uhj.21.1