fix(e2e): harden signoff policy tests for authenticated deployments

Address QA review feedback on the signoff e2e suite (86b24a5e):
- Use dedicated port 3199 with local_trusted mode to avoid reusing
  the dev server in authenticated mode (fixes 403 errors)
- Add proper agent authentication via API keys + heartbeat run IDs
- Fix non-participant test to actually verify access control rejection
- Add afterAll cleanup (dispose contexts, revoke keys, delete agents)
- Reviewers/approvers PATCH without checkout to preserve in_review state

Co-Authored-By: Paperclip <noreply@paperclip.ing>

tests/e2e/playwright.config.ts

@@ -1,6 +1,8 @@
 import { defineConfig } from "@playwright/test";
 
-const PORT = Number(process.env.PAPERCLIP_E2E_PORT ?? 3100);
+// Use a dedicated port so e2e tests always start their own server in local_trusted mode,
+// even when the dev server is running on :3100 in authenticated mode.
+const PORT = Number(process.env.PAPERCLIP_E2E_PORT ?? 3199);
 const BASE_URL = `http://127.0.0.1:${PORT}`;
 
 export default defineConfig({
@@ -29,6 +31,11 @@ export default defineConfig({
     timeout: 120_000,
     stdout: "pipe",
     stderr: "pipe",
+    env: {
+      ...process.env,
+      PORT: String(PORT),
+      PAPERCLIP_DEPLOYMENT_MODE: "local_trusted",
+    },
   },
   outputDir: "./test-results",
   reporter: [["list"], ["html", { open: "never", outputFolder: "./playwright-report" }]],