refactor: per-connection auth via Authorization header

Replace startup token authentication with per-SSE-connection auth.
Each client now passes Bearer token in Authorization header when
connecting. Server validates against config.yaml tokens and creates
isolated Server instance per connection.

- server.py: accept (auth, agent) instead of (config_path, token)
- main.py: extract Bearer token, authenticate, create server per connection
- Remove GRIST_MCP_TOKEN from docker-compose environments

deploy/dev/.env.example

@@ -1,3 +1 @@
-PORT=3000
-GRIST_MCP_TOKEN=your-token-here
-CONFIG_PATH=/app/config.yaml
+PORT=3010

deploy/dev/docker-compose.yml

@@ -10,7 +10,6 @@ services:
       - ../../src:/app/src:ro
       - ../../config.yaml:/app/config.yaml:ro
     environment:
-      - GRIST_MCP_TOKEN=${GRIST_MCP_TOKEN}
       - CONFIG_PATH=/app/config.yaml
     healthcheck:
       test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:3000/health')"]

deploy/prod/.env.example

@@ -1,3 +1 @@
 PORT=3000
-GRIST_MCP_TOKEN=your-production-token
-CONFIG_PATH=/app/config.yaml

deploy/prod/docker-compose.yml

@@ -9,7 +9,6 @@ services:
     volumes:
       - ./config.yaml:/app/config.yaml:ro
     environment:
-      - GRIST_MCP_TOKEN=${GRIST_MCP_TOKEN}
       - CONFIG_PATH=/app/config.yaml
     restart: unless-stopped
     deploy:

deploy/test/docker-compose.yml

@@ -9,8 +9,6 @@ services:
       - "3000"  # Dynamic port
     environment:
       - CONFIG_PATH=/app/config.yaml
-      - GRIST_MCP_TOKEN=test-token
-      - PORT=3000
     volumes:
       - ../../tests/integration/config.test.yaml:/app/config.yaml:ro
     depends_on: