refactor: per-connection auth via Authorization header

Replace startup token authentication with per-SSE-connection auth.
Each client now passes Bearer token in Authorization header when
connecting. Server validates against config.yaml tokens and creates
isolated Server instance per connection.

- server.py: accept (auth, agent) instead of (config_path, token)
- main.py: extract Bearer token, authenticate, create server per connection
- Remove GRIST_MCP_TOKEN from docker-compose environments

tests/unit/test_server.py

@@ -1,6 +1,8 @@
 import pytest
 from mcp.types import ListToolsRequest
 from grist_mcp.server import create_server
+from grist_mcp.config import load_config
+from grist_mcp.auth import Authenticator
 
 
 @pytest.mark.asyncio
@@ -21,7 +23,10 @@ tokens:
         permissions: [read, write, schema]
 """)
 
-    server = create_server(str(config_file), token="test-token")
+    config = load_config(str(config_file))
+    auth = Authenticator(config)
+    agent = auth.authenticate("test-token")
+    server = create_server(auth, agent)
 
     # Server should have tools registered
     assert server is not None