feat: 添加请求认证中间件保护 API 端点

- 新增 auth-middleware.js 验证客户端 API Key
- 支持 Authorization: Bearer <key> 和 x-api-key 两种方式
- API Keys 只通过环境变量配置（安全最佳实践）
- 公开路径: /, /health, /status
- 可配置 /v1/models 是否需要认证
- 启动时输出认证状态日志

配置方式:
  AUTH_ENABLED=true
  API_KEYS=sk-key1,sk-key2

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

.env.example

@@ -34,3 +34,8 @@ TUNNEL_TOKEN=
 # CORS_ENABLED=true
 # CORS_ALLOW_ALL=false
 # CORS_ORIGINS=https://app1.com,https://app2.com
+
+# API Authentication - Protect your API endpoints
+# AUTH_ENABLED=true                    # Enable authentication (required for production)
+# API_KEYS=sk-key1,sk-key2,sk-key3     # Comma-separated API keys (ONLY via env var for security)
+# AUTH_PUBLIC_MODELS=true              # Allow /v1/models without auth