feat: add bearer token authentication to WebSocket server
- Add shared auth validation helpers in server-common:
- validate_auth_header() with constant-time comparison
- extract_api_key_from_auth_header() for "Bearer " prefix handling
- Uses XOR-based constant-time compare to prevent timing attacks
- Update HTTP server to use shared validation helper
- Add WebSocket authentication during handshake:
- Validates Authorization header against configured API keys
- Returns 401 with JSON error response on auth failure
- Supports same "Bearer <token>" format as HTTP endpoints
- Add WebSocket authentication tests in test_security.py
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
