Step 39: API key authentication for goshipd

[guilhermebr]

Summary

Add API key authentication to goshipd. Keys are generated via CLI, stored as SHA256 hashes in the state store, and validated via middleware on every API request.

What Changes

• pkg/domain/entities/auth.go (new) — APIKey struct (Name, KeyHash, CreatedAt)
• pkg/domain/entities/state.go (modified) — Add APIKeys map[string]*APIKey to LocalState
• internal/api/middleware/auth.go (new) — Auth middleware: extracts Authorization: Bearer <key> header, hashes key, compares against stored hashes, rejects unauthorized requests
• internal/api/handlers/auth.go (new) — Handlers: CreateAPIKey, ListAPIKeys, RevokeAPIKey
• internal/client/auth.go (new) — Client methods for key management, Client stores API key for authenticated requests
• cmd/goshipctl/commands/auth.go (new) — CLI: goshipctl auth create-key, auth list-keys, auth revoke-key

Acceptance Criteria

• goshipctl auth create-key NAME generates and displays a new API key
• Raw key shown only once; SHA256 hash stored in state
• goshipctl auth list-keys shows key names and creation dates (not raw keys)
• goshipctl auth revoke-key NAME removes a key
• Auth middleware validates Authorization: Bearer header on all API routes
• Auth can be enabled/disabled via GOSHIP_AUTH_ENABLED config
• HTTP client sends API key header when configured
• go test ./... passes

Dependencies

• Depends on Step 14: REST API server (goshipd) #2 (REST API server)
• Depends on Step 15: CLI HTTP client for goshipd #3 (CLI HTTP client)