fix: Phase 1 - security & stability patches

- AuthMiddleware now requires auth on /v1/* routes (returns 401)
- WebSocket origin check configurable via WSAllowedOrigin
- Removed debug fmt.Printf leaks (config, ollama, server)
- Registry access protected by sync.RWMutex (race condition fix)
- Session cleanup goroutine runs every 15 min
- RevokeSession returns error instead of silent no-op

.pi-lens/install-choices.json

@@ -0,0 +1,6 @@
+{
+	"gopls": {
+		"choice": "yes",
+		"timestamp": 1775750416837
+	}
+}