Add Cargo package upload authorize endpoint

Chandra Kiran Grequested to merge
gitlab-community/gitlab-org/gitlab:33060-cargo-upload-authorize-endpoint into master

What does this MR do and why?

feat: Add Cargo package upload authorize endpoint

Implement MR3 of the Cargo package registry MVC: the workhorse-assisted upload authorize handshake for cargo publish. Cargo sends the crate body to PUT {api}/api/v1/crates/new; GitLab uses the standard two-stage pattern (/authorize then publish in MR4) so workhorse can stream the upload to object storage before Rails processes it.

This follows the remaining-work breakdown in #33060 (comment 3360481087) (MR1: download, MR2: sparse index, MR3: authorize, MR4: publish, MR5: GA hardening).

Add the cargo upload authorize endpoint at /api/v4/projects/:id/packages/cargo/api/v1/crates/new/authorize following the npm authorize pattern: enforce create-package permission, require workhorse headers, and return a workhorse authorize response with cargo_max_file_size as the upload size limit.

Expose the existing cargo_max_file_size plan limit through the admin Plan Limits API and document it alongside other package registry file size limits.

Related to #33060

Changelog: added

References

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #33060

Merge request reports