v4.27.6 / v4.10.1: auth hardening + Studio token setup

Security:
- middleware: dev bypass restricted to localhost only (was open on all dev/staging)
- middleware: removed doctor-log from public path list
- hub/describe: added route-level Gitea auth (x-tinqs-user header + direct token fallback)

Studio:
- Token setup page shown when no Gitea token configured (link + paste field + save)
- POST /api/ide/token saves to config.json + sets env var (no restart needed)
- Fixed giteaToken() to read env vars (was config-file-only, screenshots had no auth)

Team Tool:
- v4.27.6: doctor-log POST now includes Authorization header
- v4.27.6: giteaToken() reads GITEA_TOKEN/TINQS_TOKEN env vars + macOS Keychain