fix(node-agent): import crypto — auth was ALWAYS failing on remote nodes

THE root cause of 'container view only shows the primary': checkAgentAuth used
crypto.timingSafeEqual but 'crypto' was never imported (ES module). The call
threw ReferenceError, the try/catch swallowed it, _bearerEq returned false, so
EVERY bearer-token check on a node-agent failed. The primary's own containers
showed only because the local node-agent has no NODE_TOKEN (auth skipped).

Adding 'import crypto from crypto' makes token comparison work, so the primary
mam-api can now read containers + logs from every node.

services/node-agent/index.js

@@ -1,6 +1,7 @@
 import http          from 'http';
 import os            from 'os';
 import fs            from 'fs';
+import crypto        from 'crypto';
 import { spawn }     from 'child_process';
 
 const MAM_API_URL  = (process.env.MAM_API_URL  || 'http://localhost:3000').replace(/\/$/, '');
@@ -961,12 +962,7 @@ function checkAgentAuth(req) {
   const m = /^Bearer\s+(.+)$/i.exec(hdr);
   if (!m) return false;
   const token = m[1];
-  const okNode = _bearerEq(token, NODE_TOKEN);
+  return _bearerEq(token, NODE_TOKEN) || _bearerEq(token, CLUSTER_READ_TOKEN);
-  const okShared = _bearerEq(token, CLUSTER_READ_TOKEN);
-  if (!okNode && !okShared) {
-    console.warn(`[auth] reject: tok=${token.slice(0,6)}..${token.slice(-6)} CRT=${CLUSTER_READ_TOKEN.slice(0,6)}..${CLUSTER_READ_TOKEN.slice(-6)} match=${token===CLUSTER_READ_TOKEN}`);
-  }
-  return okNode || okShared;
 }
 
 // ── Driver/SDK install ────────────────────────────────────────────────────