Capability providers can't verify source of shutdown message

[stevelr]

Capability provider shutdown messages (on topic wasmbus.rpc.LATTICE.PROVIDER.LINKNAME.shutdown) are unsigned, so anybody connected to the nats network could send a message on this topic and force a capability provider to go down.

Should these be signed invocations so the provider can verify that the sender is a trusted host?