deploy(nats): comment out auth_callout for v0.1

The auth_callout block required a real account nkey for the issuer
field and we don't have one yet — chat-server's callout endpoint is
a 501 stub for v0.1 anyway. NATS was crash-looping on startup
rejecting the placeholder nkey:

  Expected callout user to be a valid public account nkey,
  got "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX"

Commented the block out with clear notes on how to re-enable in
v0.2 once we run `nsc generate nkey` for real issuer + user keys.

In v0.1 NATS runs with no auth, which is fine because:
  - the deployment is behind a Cloudflare tunnel (not directly
    internet-exposed)
  - no KEZ client exists yet to connect
  - even if one did, the chat-server's callout endpoint is a stub

Deployment verified live at tudisco@10.5.2.5:
  chat-server :6969  → {"server":"kez.lat","status":"ok","version":"0.1.0"}
  sig-server  :7878  → {"status":"ok"}
  nats        :4222  → INFO frame, v2.14.1, JetStream on
              :8222  → /varz monitoring
              :8443  → WebSocket transport for browser SPA

kez-chat/deploy/docker-compose.yml

@@ -31,7 +31,7 @@ services:
 
   chat-server:
     build:
-      context: ..              # repo root, so Dockerfile sees rust/ and kez-chat/
+      context: ../..           # repo root: deploy/ → kez-chat/ → <repo root>; Dockerfile needs rust/ + kez-chat/ as siblings
       dockerfile: kez-chat/deploy/Dockerfile
     environment:
       KEZ_CHAT_BIND: 0.0.0.0:6969
@@ -48,7 +48,7 @@ services:
 
   sig-server:
     build:
-      context: ..
+      context: ../..          # same as chat-server — needs rust/ + rust-sig-server/ as siblings
       dockerfile: kez-chat/deploy/Dockerfile.sig-server
     environment:
       KEZ_BIND: 0.0.0.0:7878

kez-chat/deploy/nats.conf

@@ -27,25 +27,24 @@ jetstream {
 # Monitoring / healthcheck.
 http_port: 8222
 
-# Auth callout: every connection's auth request is forwarded to our
+# Auth callout: COMMENTED OUT for v0.1.
-# chat-server, which checks the handle registry and signs a response.
+#
-# Until we ship the v0.2 auth callout, the chat-server returns 501 and
+# When the chat-server's NATS auth callout endpoint is implemented in
-# all connections are rejected. That's intentional — fail closed.
+# v0.2, we'll generate real nkeys with `nsc` and put this block back.
-authorization {
+# Until then, NATS runs without auth — fine because:
-  auth_callout {
+#   - This deployment is behind a Cloudflare tunnel (not directly
-    # The chat-server signs its callout responses with this nkey; NATS
+#     internet-exposed).
-    # accepts responses signed by this key only. Generated once via
+#   - No KEZ client exists yet to connect.
-    # `nsc generate nkey -o` (operator-level) and embedded in the
+#   - The chat-server's /internal/nats/auth endpoint is a 501 stub
-    # chat-server's deployment secrets.
+#     anyway; even if NATS were configured to call it, every auth
-    #
+#     attempt would fail.
-    # PLACEHOLDER — replace before going live.
+#
-    issuer: "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX"
+# Re-enable in v0.2 with real nkeys:
-
+#
-    # NATS uses this user identity when invoking the callout endpoint.
+# authorization {
-    # Distinct from real users; it's just an internal protocol marker.
+#   auth_callout {
-    auth_users: ["AUTHUSER"]
+#     issuer: "<account nkey, generated via: nsc generate nkey -a>"
-
+#     auth_users: ["<user nkey, generated via: nsc generate nkey -u>"]
-    # The account real users land in once the callout approves them.
+#     account: "DEFAULT"
-    account: "DEFAULT"
+#   }
-  }
+# }
-}