feat: added carto admin authorization

[otsybizov]

🤖 Linear

Closes CONG-XXX

[Copilot]

Pull request overview

This PR hardens the Cartographer handler’s operational pause/resume controls by adding admin-token auth and persisting pause state in the database so it survives restarts, while also refactoring secret verification and wiring the new token into staging infrastructure config.

Changes:

• Replace verifyWebhookSecret with a generic verifySecret helper and update tests/usages accordingly.
• Add authenticated /pause and /resume endpoints that persist pause state via a DB checkpoint and restore it on startup.
• Plumb CARTOGRAPHER_ADMIN_TOKEN through handler config and staging Terraform/secrets.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/agents/cartographer/handler/src/webhooks/webhookHandler.ts	Renames secret verification helper and expands webhook routing debug logging.
packages/agents/cartographer/handler/test/webhooks/webhookHandler.spec.ts	Updates unit tests to use verifySecret.
packages/agents/cartographer/handler/src/server.ts	Adds admin-token auth for pause/resume + DB checkpoint persistence; uses verifySecret for webhook auth.
packages/agents/cartographer/handler/test/server.spec.ts	Adds auth coverage for pause/resume and asserts DB checkpoint persistence.
packages/agents/cartographer/handler/src/init.ts	Extends handler config to include admin token from env var.
packages/agents/cartographer/handler/src/index.ts	Restores paused state from DB checkpoint at startup.
ops/mainnet/staging/backend/variables.tf	Adds Terraform variable for the admin token.
ops/mainnet/staging/backend/config.tf	Injects CARTOGRAPHER_ADMIN_TOKEN into handler environment variables.
ops/env/mainnet/backend/secrets.staging.json	Adds encrypted staging secret for the admin token.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.