Secure first-loop control-plane auth and mount routing.

Protect the control-plane API with explicit bearer auth, add node-scoped
registration/heartbeat credentials, and make export mount paths an explicit
contract field so mount profiles stay correct across runtimes.

Generated with [Devin](https://cli.devin.ai/docs)

Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>

packages/contracts/schemas/storage-export.schema.json

@@ -25,6 +25,9 @@
     "path": {
       "type": "string"
     },
+    "mountPath": {
+      "type": "string"
+    },
     "protocols": {
       "type": "array",
       "items": {