macOS Finder sends an unauthenticated OPTIONS request before attempting
auth. It needs to see the DAV: 1, 2 compliance header in the response
to know the server supports WebDAV. Without it, Finder shows "problem
connecting to the server" and never prompts for credentials.
OPTIONS is a safe discovery method that exposes no data, so it can be
served without auth.
Go's webdav.Handler returns 405 Method Not Allowed for GET on
collections (directories). macOS Finder sends GET to the WebDAV root
as part of its mount flow and refuses to connect when it gets 405.
Add a finderCompatible wrapper that intercepts GET/HEAD on directories
and returns a minimal 200 response, while passing all standard WebDAV
methods through to the underlying handler unchanged.
Split node enrollment from export sync and issue Finder-compatible DAV
credentials so the stack proves the real backend seam before any web UI
consumes it.
Protect the control-plane API with explicit bearer auth, add node-scoped
registration/heartbeat credentials, and make export mount paths an explicit
contract field so mount profiles stay correct across runtimes.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
