support non-lookaside KCB via kcb_identity thrift header

Summary:
Adds the UCache server-side handling for the Generalized KCB design (https://docs.google.com/document/d/1h-KmoXDwUozfXVfkLGcof87cqqZwwuwQX4TO8g3-yaU). KCB today binds the cache key to the caller's TLS service identity, which forces a cache miss whenever readers and writers don't share that identity (split-identity / non-lookaside use cases, high-fanout readers). Generalized KCB lets a caller name a MEMCACHE ACL via a new `kcb_identity` thrift header and bind the KCB hash to that ACL name instead of their own TLS identity, so all callers with `access` on that ACL share one cache view.

Authorization is delegated to TokenService, which already supports minting a CAT against `MEMCACHE_ID:<aclName>` (added in TokenService.cpp:2369). On the UCache server we just have to verify the request CAT contains a `MEMCACHE_ID:<aclName>` identity matching the header — by the time KeyClientBinder runs, the standard Thrift auth pipeline has already verified CAT signatures and populated request identities, so this is a cheap membership check.

Behavior is gated behind a new `enable_kcb_identity_header` ucache option (default off). When the option is off, no per-request header lookup happens. When on:
  - if header present and a matching `MEMCACHE_ID:<header>` identity is in the request CAT → bind KCB id to the ACL name
  - if header present but no matching identity → log via ODS counter and fall through to TLS path (preserves availability, never errors)
  - if header absent → existing TLS path runs unchanged

New ODS counters:
  - kcb_identity_header_used: matched, KCB id derived from the ACL
  - kcb_identity_header_no_cat_match: header set but CAT didn't authorize that ACL

A new shared header constant `carbon::MessageCommon::kKcbIdentityHeader = "kcb_identity"` is added so client and server agree on the wire name.

Reviewed By: lenar-f

Differential Revision: D104068350

fbshipit-source-id: 76727da1a241f2a64753e37558e7f3ff09d3505f

Author: Jay Ghurye

mcrouter/lib/carbon/MessageCommon.h

@@ -40,6 +40,8 @@ class MessageCommon {
   static constexpr std::string_view kClientIdentifierHeader =
       "client_identifier";
 
+  static constexpr std::string_view kKcbIdentityHeader = "kcb_identity";
+
  protected:
   std::string traceContext_;
 };