macOS WebDAVFS truncates HTTP Basic Auth passwords at 255 bytes. The
mount credential password (base64 payload + HMAC signature) was 260
bytes because the full username token (32 random bytes / 43 base64url
chars) is embedded in the signed payload.
Reduce the username token from 32 bytes to 24 bytes (32 base64url
chars), bringing the total password to ~246 chars with margin for
longer node IDs and mount paths.
Split node enrollment from export sync and issue Finder-compatible DAV
credentials so the stack proves the real backend seam before any web UI
consumes it.
Protect the control-plane API with explicit bearer auth, add node-scoped
registration/heartbeat credentials, and make export mount paths an explicit
contract field so mount profiles stay correct across runtimes.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
