auth/actor_search_actions.ts

actor_search RPC handler.

Pure read — no audit, no side effects. Auth (account: 'required', actor: 'none') + rate-limit (account-grain) enforced at the spec layer; see auth/actor_search_action_specs.ts for the info-leak audit and threat model.

The handler adds two checks the spec layer can't express:

- Admin gate on empty scope_ids — unbounded global search is admin-only. Non-admin callers without a scope_ids filter are rejected with invalid_params carrying actor_search_scope_required. The admin check is account-grain (any actor on the caller's account holds a global admin role_grant) since the actor: 'none' posture doesn't load auth.role_grants for an in-memory check. - Limit clamp — input is bounded by ACTOR_SEARCH_LIMIT_MAX at the schema; the handler picks the default when omitted.

display_name is omitted (not null) when actor.name is blank, matching the wire shape ActorLookupEntryJson.display_name? — same convention as actor_lookup_actions.ts.