Require signed auth for messages writes

[lawyered0]

Summary:

• Require signed auth headers for write operations in /api/messages
• Update Factory web messaging mutations to sign requests before posting

Security:
Previously, clients could spoof and perform write actions (send messages, mark read, archive/mute, publish encryption keys) on behalf of another user. This change requires a wallet signature for message write endpoints.

Testing:

• Not run (auth plumbing changes only)

[lawyered0]

Why this should merge:

• Security: prior to this change, any client could spoof and perform message write actions.
• This change only affects write paths; read paths are unchanged.
• It uses the existing signature flow already verified server-side.

Repro (before fix):

• Send with any header to message as that user.

Now: write actions require signed headers.

[lawyered0]

Why this should merge:

• Security: prior to this change, clients could spoof x-wallet-address and perform message write actions.
• This change only affects write paths; read paths are unchanged.
• It uses the existing Factory Auth signature flow already verified server-side.

Repro before fix:

• Send POST /api/messages with any x-wallet-address header to message as that user.

Now: write actions require signed x-jeju-* headers.