Harden default authentication secrets

[alias8818]

Summary

• remove hardcoded JWT/admin-token defaults from production configuration
• require admin proxy authentication before forwarding dashboard /api/v1 calls
• require users to provide API keys in the UI instead of shipping a demo key
• carry the submitted UI API key through polling/details requests without re-reading the input mid-flight
• stop seeding a known demo API key in the base database schema
• remove an API-key-shaped placeholder from quick-start docs

Verification

• npm run build ✅
• npm test -- --runTestsByPath src/api/__tests__/gateway.test.ts src/api/__tests__/authentication.test.ts ✅

  

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c325b9c. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c325b9c636

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate proxy token injection behind dashboard authentication

proxyToApiGateway now adds Authorization: ApiKey <ADMIN_API_TOKEN> whenever the incoming request lacks an Authorization header, but /api/v1 is mounted without any auth guard in setupRoutes. This means any client that can reach the admin server (for example via the published admin port) can call /api/v1/* without credentials and still be proxied as admin-dashboard, which nullifies the token hardening this change is trying to achieve. Require admin-side authentication before injecting the token (or only inject for trusted authenticated sessions).

Useful? React with 👍 / 👎.