* .NET: DevUI: add configurable access controls for the DevUI HTTP surface
* .NET: DevUI: address review and fix dotnet format
- Restore parameterless AddDevUI overloads for binary compatibility on
IServiceCollection and IHostApplicationBuilder.
- Keep /meta outside the auth-filtered group so the frontend can discover
whether a bearer token is required before prompting for one. Surface the
actual requirement via MetaResponse.auth_required.
- Invoke DevUIOptions.ConfigureEndpoints before mapping protected endpoints
so RouteGroupBuilder conventions (RequireAuthorization, rate limiting)
reliably apply.
- Treat a null RemoteIpAddress as non-loopback in DevUIAuthFilter; tests
now set IPAddress.Loopback explicitly when exercising the loopback path.
- Add a DEVUI_AUTH_TOKEN env-var fallback test and a /meta-public test.
- Fix dotnet format: add UTF-8 BOM to new files, simplify a cref in
DevUIOptions, and drop an unused using in the new test.
* .NET: DevUI: add missing authRequired param XML tag
* .NET: DevUI tests: set loopback/AllowRemoteAccess for null-RemoteIp default
DevUIIntegrationTests use the default TestServer which leaves RemoteIpAddress
null. With the new conservative loopback default those tests now hit 403; set
AllowRemoteAccess on the option since those tests are not exercising access
control. Also add the missing SimulateRemoteIp call in the wrong-bearer test.
* .NET: DevUI tests: capture DEVUI_AUTH_TOKEN before parallel tests can see it
The env-var test was leaking DEVUI_AUTH_TOKEN into parallel DevUIIntegrationTests,
intermittently causing their requests to be rejected as 401. Eagerly resolve the
singleton DevUIAuthFilter so its constructor captures the token, then restore the
env var before any HTTP requests run.