docs(README): 補 MH_API_TOKEN opt-in auth 小段（指向 ADR-0007）

README 原本多處寫「no auth」，在 0.2.1 加了 opt-in Token auth 後
不再完全準確。在 Multi-host deployment 段末補 3 行小節讓 operator
知道有這條選項，細節跳 ADR-0007。

Directive: 不改既有 L61/L167 的 "no auth" — quickstart 預設 token 未設
  確實就是 no auth (bypass)，寫法正確
Directive: 多語 intro 的 "沒有 auth" 不動 — elevator pitch 節奏優先，
  細節讀者自會往下找

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: MakiDevelop

README.md

@@ -194,6 +194,10 @@ environment:
 
 Rationale in [ADR 0006](docs/adr/0006-http-embedder-embed-queue-isolation.md). The default `MH_EMBEDDER_KIND=ollama` is unchanged — existing deployments do nothing.
 
+### Opt-in token auth
+
+Set `MH_API_TOKEN` to require `Authorization: Bearer <token>` on all `/v1/memory/*` endpoints (`/v1/health` stays public). Leave unset for dev. Rationale + when to upgrade to HMAC in [ADR 0007](docs/adr/0007-minimal-token-auth.md).
+
 ---
 
 ## What v0.2 is / isn't (honest expectations)