Description
Landregistry currently uses Pantheon tokens for HTTP API auth and relies on Mycelium NATS account permissions for Wind-based operations. This creates two parallel auth paths for the same resource.
**Current state:**
- HTTP endpoints validate Bearer tokens against Pantheon (admin key or realm key)
- NATS endpoints rely on Mycelium account permissions (organisationland account can publish to `tap.landregistry.lands.create`)
- A request arriving via NATS has already been authenticated by Mycelium — no Pantheon check
- A request arriving via HTTP is authenticated by Pantheon — no Mycelium involvement
**Question:** Should Pantheon and Mycelium have distinct responsibilities, or should one be the single source of truth for landregistry access?
- **Pantheon** = identity (who are you, what org do you belong to)
- **Mycelium** = connectivity (what NATS subjects can you publish/subscribe to)
If landregistry moves fully to NATS, Pantheon auth becomes unnecessary for it. But Pantheon may still be needed for user-facing services (nimsforestecommerce, dashboards) that need to know org membership.
Nebula's reasoning: This is a foundational architectural question about auth boundaries between Pantheon and Mycelium. It's not blocking any current work — both auth paths function correctly today — but resolving it will prevent drift as more services adopt the taproot pattern. Medium priority because the answer here informs decisions in #58 (HTTP-to-NATS migration) and shapes the long-term auth model for the entire NimsForest platform. Title and description are clear and well-structured, no changes needed there.