API key authentication middleware

[krapfj23]

Summary

Add API key auth to protect all endpoints except health checks.

Blocked by

Nothing — this is a starting ticket.

Blocks

• Rate limiting middleware #64 (rate limiting — needs API keys for per-key rate limits)

Steps

1. Create backend/app/middleware/auth.py
2. Define a FastAPI dependency that reads X-API-Key from the request header
3. Compare against a list of valid keys stored in env var API_KEYS (comma-separated)
4. Return 401 if header is missing, 403 if key is invalid
5. Apply the dependency to all routes except /health and /ready
6. Add API_KEYS to .env.example
7. Write tests: request without key → 401, bad key → 403, valid key → 200

Acceptance Criteria

• All protected endpoints reject requests without a valid API key
• /health and /ready are accessible without auth
• 401 for missing key, 403 for invalid key
• Tests pass
• PR body includes Closes #62