I started to figure out how mercurial works this weekend. It seems like we're going to want to implement http for anonymous reads using mercurial's cgi script and ssh for read/write. ssh access will directly invoke mercurial commands on the repository and we'll use mercurial's acls to control who has access to what.
Still open: Being able to hide embargoed branches. This may be doable using mercurial's ACLs similar to using filesystem ACLs in bzr.
This is all subject to change depending on what other features get dug up in continued usage.