Introduce the authentication and security model for headless draft preview
First building block of the [Canvas Headless milestone](https://git.drupalcode.org/project/canvas/-/milestones/5).
Headless frontends can only fetch published content. For live preview —
and for editors to trust it — the frontend must render draft content:
unpublished entities, forward revisions, and eventually Canvas auto-save
state. That requires an authentication model that answers three questions
well: on whose authority does the frontend read drafts, with what limits,
and how is that access revoked.
Goals:
- Draft access is bound to the editor: the frontend sees exactly what the
editing user may see, and every request is attributable to that user.
- Access is read-only, regardless of what the editor may write in Drupal.
- Access is editor-initiated, short-lived, and anchored in the editor's
Drupal session: logging out ends it, and revoking the permission takes
effect immediately.
- Zero configuration: no scopes, roles, or service accounts to set up, and
no secrets stored in the frontend.
- The model works with the frontend embedded in the Canvas editor frame and
in a standalone browser tab.
- A reference frontend demonstrates the model end to end.
Implementation details will follow in the merge request.
issue