feat(go-api): API key middleware and rate limiting

## Summary
All developer-facing endpoints need authentication and basic rate limiting before Phase 1 ships.

## Acceptance Criteria

### API Key middleware
- [ ] Read `X-API-Key` header on all `/v1/*` and `/ws` requests
- [ ] HMAC-SHA256 hash the key with `API_KEY_SALT` env var; compare against stored hash
- [ ] Return 401 if header missing or key invalid
- [ ] Skip auth on `GET /v1/health`

### Rate limiting
- [ ] Token bucket per API key: 100 req/s sustained, burst 200 (configurable via env)
- [ ] Return 429 with `Retry-After` header when limit exceeded
- [ ] Use `golang.org/x/time/rate` (stdlib-adjacent, no heavy dependency)

### Tests
- [ ] Middleware unit tests: valid key passes, missing key → 401, invalid key → 401
- [ ] Rate limit test: exceed burst, assert 429

## Files
`services/api/middleware/auth.go` (new), `services/api/middleware/ratelimit.go` (new)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(go-api): API key middleware and rate limiting #16

Summary

Acceptance Criteria

API Key middleware

Rate limiting

Tests

Files

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

feat(go-api): API key middleware and rate limiting #16

Description

Summary

Acceptance Criteria

API Key middleware

Rate limiting

Tests

Files

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions