[API] Optional API-key authentication for non-localhost deployments

[Panacota96]

Problem or opportunity

The web server currently has no authentication. While localhost-only binding (127.0.0.1) is the primary security control, Docker/K8s deployments bind to 0.0.0.0 — exposing the API to anyone on the network. After adding session CRUD and zsh terminal endpoints, an unauthenticated API becomes a high-risk attack surface (full shell access to the host).

Proposed solution

Add an optional API key authentication middleware for non-localhost deployments:

1. gscroll serve --api-key <key> flag (or GUILD_SCROLL_API_KEY env var).
2. When set, every request must include Authorization: Bearer <key> header.
3. Requests without/with wrong key receive 401 Unauthorized (JSON body).
4. 127.0.0.1 requests optionally bypass auth when --allow-localhost-bypass flag is set.
5. API key generated as a cryptographically random 32-byte hex string (secrets.token_hex(32)).

Scope

In scope: Bearer token middleware, CLI flag + env var support, 401 response, localhost bypass option.
Out of scope: JWT, OAuth, multi-user RBAC (future milestone), TLS (separate issue).

Acceptance criteria

• --api-key flag and GUILD_SCROLL_API_KEY env var accepted
• All endpoints return 401 when key missing/wrong and auth is enabled
• Localhost bypass option documented and tested
• Key never logged in plain text
• Tests: unauthenticated request → 401; authenticated request → 200; bypass behavior
• Security impact reviewed (timing-safe comparison via hmac.compare_digest)
• Docs: README and Docker docs updated with auth setup instructions