Support credential delegation for nested task dispatch #75
Description
Summary
Add opt-in credential delegation so that a dispatching proxy can forward its TLS credentials to workers for nested dispatch. Currently wool uses peer authentication exclusively — each worker authenticates as itself using its own certificate. Credential delegation would allow a client's credentials to be serialized into the task payload and used by the receiving worker to authenticate to downstream workers on the client's behalf.
This is a distinct trust model from peer authentication. With peer authentication, worker A can only dispatch to worker B if A has its own valid credentials. With credential delegation, A could dispatch to B using the client's credentials, even if A and B have no direct trust relationship. This mirrors patterns like Kerberos delegation and SSH agent forwarding.
Credential delegation must be explicitly opt-in and clearly distinguished from the default peer authentication model. Mixing the two models silently would allow untrusted workers to relay credentials to peers they are not independently authorized to reach.
Motivation
Peer authentication is the right default for homogeneous worker pools where every node is equally trusted. But heterogeneous deployments may need a client to dispatch through an intermediary worker that doesn't have direct credentials to all downstream workers. Credential delegation would support this without requiring every worker to hold credentials for every other worker.
This is not urgent — peer authentication covers the current use cases. Filing to track the design space for future consideration.