feat: session B — auth implementation + signals (26 stubs complete)

Implement ConfigureAuthorization, CheckAuthentication, and full auth
dispatch in NatsServer.Auth.cs; add HandleSignals in NatsServer.Signals.cs;
extend AuthHandler with GetAuthErrClosedState, ValidateProxies,
GetTlsAuthDcs, CheckClientTlsCertSubject, ProcessUserPermissionsTemplate;
add ReadOperatorJwt/ValidateTrustedOperators to JwtProcessor; add
AuthCallout stub; add auth accessor helpers to ClientConnection; add
NATS.NKeys package for NKey signature verification; 12 new tests pass.

dotnet/src/ZB.MOM.NatsNet.Server/Auth/AuthCallout.cs

@@ -0,0 +1,93 @@
+// Copyright 2022-2025 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Adapted from server/auth_callout.go in the NATS server Go source.
+
+namespace ZB.MOM.NatsNet.Server.Auth;
+
+/// <summary>
+/// External auth callout support.
+/// Mirrors Go <c>auth_callout.go</c>.
+/// </summary>
+internal static class AuthCallout
+{
+    /// <summary>
+    /// Publishes an auth request to the configured callout account and awaits
+    /// a signed JWT response that authorises or rejects the connecting client.
+    /// Mirrors Go <c>processClientOrLeafCallout</c> in auth_callout.go.
+    /// </summary>
+    public static bool ProcessClientOrLeafCallout(NatsServer server, ClientConnection c, ServerOptions opts)
+    {
+        // Full implementation requires internal NATS pub/sub with async request/reply.
+        // This is intentionally left as a stub until the internal NATS connection layer is available.
+        throw new NotImplementedException(
+            "Auth callout requires internal NATS pub/sub — implement when connection layer is available.");
+    }
+
+    /// <summary>
+    /// Populates an authorization request payload with client connection info.
+    /// Mirrors Go <c>client.fillClientInfo</c> in auth_callout.go.
+    /// </summary>
+    public static void FillClientInfo(AuthorizationRequest req, ClientConnection c)
+    {
+        req.ClientInfoObj = new AuthorizationClientInfo
+        {
+            Host = c.Host,
+            Id   = c.Cid,
+            Kind = c.Kind.ToString().ToLowerInvariant(),
+            Type = "client",
+        };
+    }
+
+    /// <summary>
+    /// Populates an authorization request payload with connect options.
+    /// Mirrors Go <c>client.fillConnectOpts</c> in auth_callout.go.
+    /// </summary>
+    public static void FillConnectOpts(AuthorizationRequest req, ClientConnection c)
+    {
+        req.ConnectOptions = new AuthorizationConnectOpts
+        {
+            Username  = c.GetUsername(),
+            Password  = c.GetPassword(),
+            AuthToken = c.GetAuthToken(),
+            Nkey      = c.GetNkey(),
+        };
+    }
+}
+
+/// <summary>Authorization request sent to auth callout service.</summary>
+public sealed class AuthorizationRequest
+{
+    public string ServerId   { get; set; } = string.Empty;
+    public string UserNkey   { get; set; } = string.Empty;
+    public AuthorizationClientInfo?  ClientInfoObj  { get; set; }
+    public AuthorizationConnectOpts? ConnectOptions { get; set; }
+}
+
+/// <summary>Client info portion of an authorization request.</summary>
+public sealed class AuthorizationClientInfo
+{
+    public string Host { get; set; } = string.Empty;
+    public ulong  Id   { get; set; }
+    public string Kind { get; set; } = string.Empty;
+    public string Type { get; set; } = string.Empty;
+}
+
+/// <summary>Connect options portion of an authorization request.</summary>
+public sealed class AuthorizationConnectOpts
+{
+    public string Username  { get; set; } = string.Empty;
+    public string Password  { get; set; } = string.Empty;
+    public string AuthToken { get; set; } = string.Empty;
+    public string Nkey      { get; set; } = string.Empty;
+}