feat: add authenticated getStorageAt endpoint

[matthias-wright]

This adds an authorized endpoint that behaves like eth_getStorageAt.
The governance key (security council multisig) can temporary whitelist a key (Ethereum address) that can access this endpoint. Whitelisted keys can be revoked by the governance key.

The governance key is read from the first slow of the protocol params contract:

    "0x0000000000000000000000000000506172616d73": {
      "balance": "0x0",
      "code": "0x60806...",
      "storage": {
        "0x0000000000000000000000000000000000000000000000000000000000000000": "0xd412c5ecd343e264381ff15afc0ad78a67b79f35"
      }
    },

A new RPC server is added for this because the auth RPC server only supports JWT authentication and cannot be easily extended to support additional authentication methods.
This new RPC server uses the ops namespace (short for operations). The admin namespace is already used.
The new ops RPC server is deactivated by default and can be activated via the --ops.enable CLI flag. The address defaults to 127.0.0.1 and can be set via --ops.addr and the port defaults to 8552 and can be set via --ops.port.

These are all the added endpoints:

ops_whitelistKey

Request format:
{"jsonrpc":"2.0","method":"ops_whitelistKey","params":["0x<target>",<expires_at_unix_seconds>],"id":1}

Authorized by raw Ethereum transaction, signed by the governance key, stored in the X-Signed-Tx HTTP header.

Transaction requirements:

• sender must be governance address
• chainId must match node chain ID
• to field must be 0x1000000000000000000000000000000000000006
• value == 0
• calldata must encode whitelistKey(address target, uint64 expiresAt)
• calldata params must exactly match RPC params

Note: this endpoint doesn't need a nonce because the expires_at_unix_seconds parameter makes replays pointless.

ops_revokeKey

Request format:
{"jsonrpc":"2.0","method":"ops_revokeKey","params":["0x<target>"],"id":1}

Authorized by raw Ethereum transaction, signed by the governance key, stored in the X-Signed-Tx HTTP header.

Transaction requirements:

• sender must be governance address
• chainId must match node chain ID
• to field must be 0x1000000000000000000000000000000000000006
• value == 0
• calldata must encode revokeKey(address target)
• calldata params must exactly match RPC params

ops_getStorageAt

Request format:
{"jsonrpc":"2.0","method":"ops_getStorageAt","params":["0x<address>","0x<slot>","latest"],"id":1}

Authorized by a signature from a whitelisted key. The signature must be EIP-712-structured over the request body and nonce. Signature and nonce are stored in the X-Signature and X-Nonce HTTP headers, respectively.

ops_getNonce

Request format:
{"jsonrpc":"2.0","method":"ops_getNonce","params":["0x<signer_address>"],"id":1}

Authorized by a signature from a whitelisted key. The signature must be EIP-712-structured over the request body and nonce (nonce is set to the empty string). Signature is stored in the X-Signature HTTP header.

[github-actions]

Adds signature-authenticated RPC server with ops endpoints for governance-controlled storage access bypass and whitelist management.

Phase 2

• crates/node/builder/src/rpc.rs:184-197 — governance_address is logged at startup, which exposes the admin address. While this may be intentional for transparency, consider if this creates an operational security risk by making the governance address discoverable.
• crates/rpc/rpc-layer/src/signature_auth_layer.rs — The signature verification middleware handles EIP-712 domain separation correctly, but the implementation should ensure consistent chain ID validation across all signature verification paths.

LGTM. The implementation follows security best practices with EIP-712 signatures, nonce-based replay protection, and proper governance address verification from on-chain storage. The seismic genesis changes correctly add a test contract and update the genesis hash. The storage access bypass is appropriately restricted to whitelisted addresses with governance controls.