fix(pipelines): add auth middleware and remove x-tenant-id header trust

[grndlvl]

Summary

Fixes two security issues from grndlvl's review on PR #28 (Finding 1a/1b):

• Pipeline routes exposed without auth: All CRUD/execution/review endpoints at /api/pipelines/* were accessible without authentication. Added requireBearerToken middleware to the route mount in index.ts.
• Tenant identity was client-controlled: getTenantId() trusted the x-tenant-id request header, allowing any caller to impersonate any tenant. Replaced with auth-derived identity (req.mcpUser.id from Bearer token), matching the existing pattern in tools/executor.ts.

Files changed (3)

File	Change
src/index.ts	Add requireBearerToken to pipeline route mount
src/pipelines/routes.ts	Replace getTenantId() — remove header trust, use mcpUser.id
tests/pipelines/routes.test.ts	Update test helper to use mcpUser instead of x-tenant-id header

Context

• The broader tenant resolution strategy (3 coexisting patterns) is tracked in Unify tenant identity resolution across three coexisting patterns #37
• The remaining 3 review findings (schedule wiring, resume poll loop, duplicate trigger events, update validation) will be addressed in a separate PR on fix/009-pipeline-review-findings
• PR feat(011): delete custom execution plumbing + integration tests (WP03+WP04) #33 (Inngest migration) inherits both of these bugs — flagged in a comment there

Test plan

• vitest run tests/pipelines/routes.test.ts — 13/13 pass
• tsc --noEmit — 0 new errors (pre-existing inngest type errors only)
• Full suite: 314/314 tests pass; 5 pre-existing failures from missing inngest package
• Reviewer: verify x-tenant-id header no longer appears in pipeline route logic

🤖 Generated with Claude Code