agent: controller publications should bypass authorization checks

Automated publications that are performed by controllers should bypass authorization checks. We currently require controllers to assume the `estuary_support/` role, which must have an authorization grant to every prefix in the system. We'd like to instead have agents bypass authZ checks for publications that are triggered by our automation.