[Deprecation] Client-Whitelist Authorization Wrapper Middleware

[silug]

Summary

Shared middleware that routes requests through trapperkeeper authorization or client-whitelist authorization is marked in comments as temporary compatibility behavior.

Why This Is Soft / Inferred

No explicit runtime deprecation warning for this helper exists, but code comments describe eventual deletion when whitelist authorization support is dropped.

Evidence

• src/clj/puppetlabs/puppetserver/ringutils.clj:97 comment: function exists for backward-compatible client-whitelist support and should be deleted when support is dropped.
• src/clj/puppetlabs/services/ca/certificate_authority_core.clj:605 and src/clj/puppetlabs/services/puppet_admin/puppet_admin_core.clj:130 comments reference eventual removal of client-whitelist authorization path.

Proposed Plan

• OpenVox Server 9:
  • Add explicit warning when whitelist path is activated.
  • Keep behavior for one migration cycle.
• Next major release:
  • Remove wrap-with-trapperkeeper-or-client-whitelist-authorization.
  • Require authorization service paths only.

Compatibility / Risk

• Medium to high risk where whitelist settings are still used.
• Closely coupled to removal of deprecated whitelist settings in puppet-admin and CA status.

Implementation Notes

• Tie this issue to issues removing client-whitelist/authorization-required settings.
• Confirm no internal endpoints still depend on whitelist-only path.

Acceptance Criteria

• OpenVox Server 9 warning is emitted when compatibility wrapper is active.
• Wrapper removal is scheduled for next major release.

Suggested Tests

• Middleware behavior tests for warning + routing in 9.
• Major-release removal tests to ensure auth-only path.

[silug]

Deprecated (in comments) in 40d9f11 / 9d1b876.