fix(restheart-mongo): prefix RESTHEART_ADMIN_AUTH with Authorization: at curl call sites

flow.sh's 214 admin-authenticated curl invocations passed the credential
as `-H "$RESTHEART_ADMIN_AUTH"` where RESTHEART_ADMIN_AUTH defaults to
`Basic YWRtaW46c2VjcmV0` (the credential value alone, no header name).
curl renders that as a header value with no name and the request
arrives at RESTHeart with no Authorization header, producing 401.

Effect on the lane:
  - bootstrap's `PUT /<db>/<coll>` seed-collection writes all 401'd
    silently (each is `|| true`'d), so the seed collections were
    NEVER created. record-traffic ran against an empty mongo.
  - record-traffic's 214 admin-authenticated calls all 401'd. The
    recorded testcases are 256 × 401 (out of 296), 25 × 404, and
    only 9 × 200 (the public /ping and OPTIONS preflights).
  - Lane still passed-by-equality because both record and replay
    fail identically (the 401 wire bytes match), but the lane was
    not actually exercising RESTHeart's admin surface.

Fix: change the call site, not the env. `-H "$RESTHEART_ADMIN_AUTH"`
→ `-H "Authorization: $RESTHEART_ADMIN_AUTH"`. The env var stays a
plain credential ("Basic YWRtaW46c2VjcmV0"), the curl line constructs
the full HTTP header. 214 sites swapped via:
  sed -i 's|-H "\$RESTHEART_ADMIN_AUTH"|-H "Authorization: $RESTHEART_ADMIN_AUTH"|g'

Bare-smoke validation (docker compose up + flow.sh bootstrap +
flow.sh record-traffic against vanilla restheart 9.2.1):

  before:  256 × 401   25 × 404    9 × 200
  after:   110 × 200   59 × 201   49 × 404   33 × 405   25 × 204
            16 × 401   11 × 400    8 × 403    4 × 409    3 × 500

The 16 remaining 401s are the genuinely intentional ones — bogus
JWT bearer probe, malformed Digest, no-auth liveness, and similar.
The 8 × 403 are real ACL-deny coverage that was previously
unreachable behind the universal 401.

Author: AkashKumar7902