Add optional authentication to memory API routes

## Problem

The `/api/memory/*` routes are intentionally unauthenticated, which is fine for local-only usage. However, if the app is ever exposed beyond localhost (e.g., via tunnel, LAN, or future cloud deployment), the memory API becomes an open read/write surface.

## Proposed Solution

Add optional authentication that can be enabled via configuration:

1. **Default: no auth** — Preserve current behavior for local development
2. **Opt-in token auth** — When `OPENTRUST_MEMORY_API_AUTH=true`, require a Bearer token matching `OPENTRUST_AUTH_TOKEN`
3. **Shared middleware** — Reuse the existing auth verification from `lib/opentrust/auth.ts`
4. **Localhost bypass** — Respect `OPENTRUST_ALLOW_LOCALHOST_BYPASS` for local access

## Acceptance Criteria

- [ ] Memory API routes work without auth by default (backward compatible)
- [ ] When enabled, unauthenticated requests receive `401 Unauthorized`
- [ ] Token auth uses the same timing-safe comparison as login
- [ ] Localhost bypass works when configured
- [ ] Documentation updated with new env variable
- [ ] Unit tests for authenticated and unauthenticated scenarios

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add optional authentication to memory API routes #12

Problem

Proposed Solution

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add optional authentication to memory API routes #12

Description

Problem

Proposed Solution

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions