feat: changed opa headers mechanism from whitelist to blacklist

[CptSchnitz]

Description:
This PR refactors the NGINX njs script to transition our OPA header filtering from an allowlist (whitelist) to a denylist (blocklist).

Key benefits of this change:

• Enabled zero-friction policy updates: I removed the need for NGINX deployments just to add new headers. Future custom headers for new policies will now automatically flow through to OPA.
• Improved observability and debugging: Header typos are no longer silently dropped at the edge. Invalid or misspelled headers now reach OPA and appear in the decision logs, making troubleshooting much faster.
• Maintained performance & reduced log bloat: I implemented a highly optimized, O(1) module-level denylist to explicitly strip out heavy, irrelevant payloads (Cookie, raw Authorization, legacy tracing, and cache/network noise). This ensures we keep request latency low and OPA payload sizes lean.

[Copilot]

Pull request overview

This PR updates the NGINX njs OPA authorization request payload construction by switching from an explicit header allowlist to a general “pass-through except denylist” mechanism, so OPA receives more request header context by default.

Changes:

• Added a DENYLIST of request headers to exclude from OPA input.
• Introduced filterHeaders(r) to forward all non-denylisted r.headersIn entries to OPA.
• Replaced the previous hardcoded header allowlist with headers: filterHeaders(r) in the OPA input payload.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.