Harden Flight ingress session identity and token lifecycle

[bill-ph]

Summary

• harden Flight ingress auth by requiring Basic auth on every request and binding it to x-duckgres-session
• remove host-based session reuse fallback for tokenless requests and bootstrap fresh server-issued session tokens
• enforce absolute session token lifetime via flight_session_token_ttl (config/env/flag + docs/tests)
• update control-plane Flight tests to propagate issued session token across follow-up RPCs

Notes on issue #215 deltas (intentional)

• Identity rollout mode is intentionally stricter than issue text: this PR behaves like token_required by always requiring Basic auth and not preserving legacy client-id fallback behavior.
• Header naming intentionally keeps the existing x-duckgres-session contract in this codebase instead of introducing a parallel x-duckgres-session-token header.
• Token lifecycle scope in this PR is intentionally minimal and hardening-focused: server-issued token bootstrap + principal binding + absolute TTL, without adding new Flight Action endpoints or per-principal token-cap controls in this change.

Validation

• go test ./... -count=1
• golangci-lint run

Closes #215