docs: complete Phase 0 architecture — spec updates, review fixes, and link portability

Update four existing specs (overview, server, napi-and-pubsub, call-protocol) to
reflect Phase 0 decisions: three-layer model, IdentityProvider, ForwardingPolicy,
OperationEnv, static/dynamic config split. Review all 9 Phase 0a ADRs (026-034)
for consistency. Fix 4 critical issues from architecture review: missing OQ-SVC-05
in open-questions.md, deprecated hub terminology, undefined AuthService and noq
terms. Replace inline OQ text with cross-references per format rules. Add
ConfigServiceImpl definition to configuration.md. Port absolute workspace paths
to project-relative links by copying referenced docs (feasibility, certbot,
fail2ban, event_source_types) into docs/research/.

docs/architecture/storage.md

@@ -197,17 +197,12 @@ dependency.
 ## Open Questions
 
 - **OQ-SVC-03**: How does the secret service integrate with the existing
-  `EncryptedDataSchema` from `@alkdev/storage`? The Rust implementation replaces
-  PBKDF2 password-based encryption with derived AES-256-GCM keys. The
-  `EncryptedData` format is a superset — old format can be migrated by
-  re-encrypting with the new key.
+  `EncryptedDataSchema` from `@alkdev/storage`? See [open-questions.md](open-questions.md).
 
-- **OQ-SVC-04**: Should workers cache derived keys locally? Yes, with a TTL
-  (default: 1 hour). The head can revoke by invalidating the session.
+- **OQ-SVC-04**: Should workers cache derived keys locally? See [open-questions.md](open-questions.md).
 
-- **OQ-SVC-05**: How does the smart contract (NFT-based ACL) interact with the
-  secret service? The Ethereum signing key (`m/44'/60'/0'/0/0`) is derived from
-  the same seed. The smart contract is a separate concern.
+- **OQ-SVC-05**: How does the NFT-based ACL smart contract interact with the
+  secret service? See [open-questions.md](open-questions.md).
 
 ## Design Decisions