security: add API key authentication to all API endpoints

[aaniya22]

Fixes #266

Every API endpoint was reachable without any credential. An attacker
with access to the backend port could read vault secrets, wipe scan
history, or start arbitrary scans.

Changes:

• Added backend/secuscan/auth.py with require_api_key dependency
• On first startup, if SECUSCAN_API_KEY is not set, a random 64-char
  hex key is generated, saved to data/api_key.txt, and logged once
• Every request to /api/v1/* must supply the key as:
  Authorization: Bearer <key> or X-Api-Key: <key>
• /api/v1/health, /docs, /redoc, / remain public
• Added SECUSCAN_API_KEY to config.py and documented in .env.example

No breaking change for users who set SECUSCAN_API_KEY in their env.
Users without it get a key auto-generated and logged on first run.

[utksh1]

Thanks for working on API auth. This cannot merge as-is: backend-tests are failing, the frontend/API client has no credential flow so the app would start sending unauthenticated requests, and generating/logging an API key from inside the backend is not an operator-safe rollout path. Please restore green checks, add frontend/client integration and docs, keep health/public endpoints intentional, and avoid logging secrets.