add recipient-scoped event confidentiality (diagram sharing phase 3)

[fabracht]

Closes #78.

Summary

• New opt-in --scoped-events flag (env MQDB_SCOPED_EVENTS, default off). When on, change events for ownership-enabled and derived (child) entities are published once per recipient to $DB/u/{recipient}/events/{entity}/{id} — owner plus share grantees; children resolve recipients through the parent. Global entities keep the single broadcast publish.
• Broker enforces a user may only subscribe to their own $DB/u/{me}/events/# (admins may read any; only the internal event service may publish there). Enforced in TopicProtectionAuthProvider, gated on the flag.
• Breaking for subscribers (subscribe to $DB/u/{me}/events/# instead of $DB/{entity}/events/#) — hence opt-in; enable broker + client together.
• Agent mode only; cluster parity tracked in cluster parity for diagram sharing #75; public/anonymous event topics deferred to phase 4 (diagram sharing phase 4: public / link sharing with anonymous tickets #79).
• Authorization core verified in TLA+ (InvEventConfidentiality/InvEventCompleteness hold across 52,488 states).

Test plan

• topic protection: user reads own $DB/u/{me}/events/#, denied another user's / wildcard; non-service publish to $DB/u/... denied; service publishes; admin reads any; flag-off unrestricted
• event_recipients: owner+grantees for owned, parent's recipients for child, None for Global
• cargo make dev green

[fabracht]

Pushed 1ef155d: scoped event recipients are now resolved synchronously at write time and carried on the ChangeEvent (serde-skipped, so the recipient list never hits the wire), instead of being recomputed asynchronously at publish time.

This fixes two gaps in the original commit:

• cascade-delete child events were dropped (parent already gone → owner unresolvable)
• parent-delete grantee notification raced clear_all_resource_grants

Create/update keep the safe async recompute. Added test_cascade_delete_events_carry_recipients and a debug! when scoped recipients resolve to empty. cargo make dev green.

Follow-ups split out: #84 ($DB/u/# unprotected when flag off), #85 (grantee not notified on share/unshare).