BYOC: add auth token to byoc worker registration

[ad-astra-video]

What does this pull request do? Explain your changes. (required)

Add ability for worker to register with an authentication token similar to ai-runner.

Specific updates (required)

• add token field parsing in json and AuthToken field to ExternalCapability
• catch 401 errors at Orchestratro and return 500 errors to caller after logging on Orchestrator

How did you test each of these updates (required)

Tested with byoc streaming using the runner-router to apply the auth token

Does this pull request close any open issues?

Checklist:

• Read the contribution guide
• make runs successfully
• All tests in ./test.sh pass
• README and other documentation updated
• Pending changelog updated

[Copilot]

Pull request overview

This PR adds support for an auth_token field in BYOC worker capability registration. When a worker registers a capability with an AuthToken, the orchestrator includes a Bearer token in the Authorization header for all subsequent requests to that worker. If the worker returns HTTP 401, the orchestrator removes the capability so the worker can re-register with a valid token.

Changes:

• Adds AuthToken string field to ExternalCapability with JSON tag auth_token, and updates RegisterCapability to copy the token on re-registration
• Injects Authorization: Bearer <token> header in all four outbound paths to workers (processJob, StartStream, StopStream, UpdateStream, and monitorOrchStream)
• Adds 401-handling logic in processJob and StartStream that removes the capability on auth failure, with accompanying tests

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
core/external_capabilities.go	Adds AuthToken field to ExternalCapability struct and copies it during capability re-registration
byoc/job_orchestrator.go	Injects auth header into worker requests in processJob; adds 401 handling that removes the capability and returns HTTP 500
byoc/stream_orchestrator.go	Injects auth header in StartStream, StopStream, UpdateStream, and monitorOrchStream; adds 401 removal logic in StartStream
byoc/job_orchestrator_test.go	Adds test verifying 401 from worker triggers capability removal and returns 500 to caller
byoc/stream_test.go	Adds test verifying 401 from worker triggers capability removal and returns 401 to caller

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 53.44828% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 32.88190%. Comparing base (48c5d86) to head (c263f58).

Files with missing lines	Patch %	Lines
byoc/stream_orchestrator.go	46.66667%	20 Missing and 4 partials ⚠️
byoc/job_orchestrator.go	75.00000%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##              master       #3878         +/-   ##
===================================================
+ Coverage   32.79594%   32.88190%   +0.08596%     
===================================================
  Files            171         171                 
  Lines          41993       42014         +21     
===================================================
+ Hits           13772       13815         +43     
+ Misses         27189       27157         -32     
- Partials        1032        1042         +10     

Files with missing lines	Coverage Δ
core/external_capabilities.go	27.19298% <100.00000%> (+0.64431%)	⬆️
byoc/job_orchestrator.go	48.65591% <75.00000%> (+7.77193%)	⬆️
byoc/stream_orchestrator.go	39.41368% <46.66667%> (+3.38674%)	⬆️

... and 2 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 48c5d86...c263f58. Read the comment docs.

Files with missing lines	Coverage Δ
core/external_capabilities.go	27.19298% <100.00000%> (+0.64431%)	⬆️
byoc/job_orchestrator.go	48.65591% <75.00000%> (+7.77193%)	⬆️
byoc/stream_orchestrator.go	39.41368% <46.66667%> (+3.38674%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.