Introduce the authentication and security model for headless draft preview
First building block of the [Canvas Headless milestone](https://git.drupalcode.org/project/canvas/-/milestones/5). Headless frontends can only fetch published content. For live preview — and for editors to trust it — the frontend must render draft content: unpublished entities, forward revisions, and eventually Canvas auto-save state. That requires an authentication model that answers three questions well: on whose authority does the frontend read drafts, with what limits, and how is that access revoked. Goals: - Draft access is bound to the editor: the frontend sees exactly what the editing user may see, and every request is attributable to that user. - Access is read-only, regardless of what the editor may write in Drupal. - Access is editor-initiated, short-lived, and anchored in the editor's Drupal session: logging out ends it, and revoking the permission takes effect immediately. - Zero configuration: no scopes, roles, or service accounts to set up, and no secrets stored in the frontend. - The model works with the frontend embedded in the Canvas editor frame and in a standalone browser tab. - A reference frontend demonstrates the model end to end. Implementation details will follow in the merge request.
issue