feat(http): route smart-HTTP through the auth.Authorizer; drop allowPush field
Replace the allowPush bool gate in resolve with a call to d.authz.Authorize,
extracting HTTP Basic credentials via credFromRequest. Remove the now-redundant
allowPush field from the daemon struct and all daemon literals in tests. Add
TestSmartHTTPAnonymousReadWhilePushDisabled to verify reads succeed when writes
are denied.