docs: fix inconsistencies in architecture specs

- Replace hub/spoke with head/worker terminology in call-protocol.md,
  auth.md, open-questions.md, napi-and-pubsub.md
- Update operation paths from /{spoke}/{service}/{op} to
  /{node}/{service}/{op} throughout call-protocol.md
- Unify Identity struct: auth.md already had {id, scopes, resources},
  add note clarifying this is canonical (vs research/services.md which
  used {node_id, fingerprint, scopes})
- Update integration-plan.md inconsistencies section to track what's
  been fixed (hub/spoke, identity model) and expand service naming
  to include external services
- Update call-protocol.md last_updated date

ADRs are intentionally left unchanged as historical records.

docs/architecture/auth.md

@@ -1,6 +1,6 @@
 ---
 status: draft
-last_updated: 2026-06-04
+last_updated: 2026-06-07
 ---
 
 # Authentication & Identity
@@ -95,11 +95,19 @@ pub struct Identity {
 }
 ```
 
+> **Note on identity models**: Earlier research used `{node_id, fingerprint, scopes}`.
+> The unified model uses `{id, scopes, resources}` where `id` serves as both
+> fingerprint (for key-based auth from config) and account UUID (for
+> database-backed auth). The `resources` field provides resource-level
+> authorization beyond what scopes offer. This is the canonical definition
+> that all components should use.
+```
+
 **Default implementation**: `ConfigIdentityProvider` loads from
 `DynamicConfig.auth` (the `authorized_keys` set). Every authorized key gets a
 default scope set. No database required.
 
-**Hub implementation**: Backed by `@alkdev/storage`'s `peer_credentials` and
+**Head implementation**: Backed by `@alkdev/storage`'s `peer_credentials` and
 `accounts` tables plus the ACL graph. Resolves fingerprint → account →
 organization membership → effective scopes. Uses `ArcSwap` for hot reload.