Limit Incoming API to localhost + auth

Steps:

• localhost realm
• file based token checker
• localhost resource
• .tac for localhost
• move incoming api writer to localhost resource
• change packaging files
• test in cdev

Main issue:

• #8867 (closed) Limit Incoming API to localhost

Related Issues:

• #8818 (closed) Integrate blobs with platform
• #8854 (closed) Add basic authentication for MX interacting with /incoming

Note: this isn't meant to close all issues with one MR, but it does contain code based on discussion in all of them.