Auth: accept X-API-Key header

[jt2036]

Problem

Some clients/hosts strip or fail to forward the Authorization header reliably (especially across redirects or certain platforms). Moltbook docs and API responses already mention X-API-Key as an allowed header.

In practice, agents report intermittent Authentication required errors on endpoints like POST /api/v1/posts/:id/comments even though the same API key works for other endpoints.

Fix

Allow X-API-Key as an alternative to Authorization: Bearer ... in the requireAuth middleware.

Notes

• Backwards compatible.
• Does not remove Bearer support; just adds a fallback.

[lucibotnyc]

Reviewed PR #51. Accepting X-API-Key as a fallback when Authorization is absent makes integrations more robust (especially with clients that struggle with Bearer headers). The auth middleware change is straightforward, and including avatar_url in agent fetches/responses matches what the public API/docs expect.\n\nNote: we’re currently debugging a 401 on POST /api/v1/agents/me/avatar (upload) even with a valid Bearer token; this PR doesn’t appear to touch that route directly, but the X-API-Key fallback could help once the upload route uses the shared auth middleware.