feat(router): add introspection authentication bypass feature

[dkorittki]

Summary by CodeRabbit

• New Features

  • Configurable GraphQL introspection auth modes: require auth, allow skipping with a secret, or skip entirely; router emits warnings for mismatched introspection settings.

• Configuration

  • New structured introspection settings (enabled + secret) and an ignore-introspection flag; legacy flag deprecated and schema enforces secret length.

• Chores

  • Initialization moved to an options-driven API with explicit error handling and clearer introspection wiring.

• Tests

  • Expanded coverage for introspection auth flows, GET/header/token variants, multi-provider JWTs, and config validation.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

Marked this PR as draft since I want to create a docs PR before this is here is ready for review.

Motivation and Context

This pull requests adds the ability to configure the router to bypass authentication, if the operation is identified as an introspection query. Optionally a separate, static secret for introspection can be configured, which has to be passed via Authorization header instead of the usual JWT token when an introspection query is sent.

The motivation behind this feature is that it allows users to configure GraphQL client tooling without the need to acquire valid auth tokens first, which sometimes is not easy in this scenario. It's meant to be used locally. This should not be enabled in production.

To enable this feature I added a new section to the router configuration called introspection:

introspection:
  enabled: true # deprecates the introspection_enabled config parameter
  skip_authentication: true # bypasses auth for introspection queries, if enabled (default: false)
  token: "demo" # optionally require a secret passed via Authorization header for introspection queries

Changes

• Config parameter introspection_enabled is marked as deprecated
• New config parameter introspection with three child parameters, as described above, added
• AccessController is extended to know wether introspection auth bypass is enabled and what the secret is
• AccessController provides a method to check wether the incoming operation is an introspection query (using a temporary OperationKit) and based on it's configuration, if it should be bypassed
• PreHandler first checks via AccessController if authentication should be bypassed and skips it if true
• Modified existing auth tests in router-tests to disable this feature for all existing tests (to reflect the default config)
• Extended auth tests in router-tests to test authentication when this feature is enabled