Add optional bearer token auth (deferred)

[aurexav]

Context
ELF v2 will initially use explicit context headers (tenant_id, project_id, agent_id, read_profile). This is sufficient for localhost or trusted internal deployments, but it does not prevent clients from spoofing namespace boundaries if the API is exposed to untrusted networks.

Goal
Add optional bearer token authentication and authorization so namespace and permissions are enforced by the server, not by caller-supplied headers.

Scope

• Add an auth middleware that validates a bearer token and derives a RequestContext (tenant_id, project_id, optional agent_id, and allowed scopes/read profiles).
• Support a simple first version based on static API keys configured in elf.toml (opaque tokens), with room to extend to JWT later.
• When auth is enabled, require Authorization for all public endpoints and admin endpoints; ignore or reject spoofable context headers.
• Add audit fields to traces/versions (actor id or token id) for debugging.

Non-goals

• No user management UI.
• No OIDC integration.
• No hosted multi-tenant control plane.

Acceptance criteria

• Without a token, requests fail with 401 when auth is enabled.
• With an invalid token, requests fail with 401.
• With a valid token but insufficient permissions, requests fail with 403.
• Admin endpoints require an admin-capable token.
• Traces include the derived context and actor identity.