fn build_router(state: Arc<AppState>) -> RouterExpand description
/healthz outside /v1; /v1/enroll is anonymous; all other /v1/* require mTLS.
/v1/* is gated by require_ready_layer (#95) so agents get 503 + Retry-After
until the first signed artifact is verified - no stale-state serving.