feat(auth): fall back to GITEA_MCP_DEFAULT_TOKEN when no Bearer header

claude.ai connectors call the server with no Authorization header (confirmed
via request logging). Add a configurable default Gitea PAT so unauthenticated
clients (like claude.ai) can still reach the server.

Claude Code continues to pass per-request PATs; defaultToken="" preserves
the existing strict behaviour when the env var is unset.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/auth/bearer.go

@@ -12,13 +12,19 @@ type tokenKey struct{}
 // BearerMiddleware validates the incoming bearer token as a Gitea PAT by
 // calling GET /api/v1/user. The validated token is stored in context for
 // downstream use by the Gitea client.
-func BearerMiddleware(giteaBaseURL string, next http.Handler) http.Handler {
+//
+// defaultToken, if non-empty, is used when no Authorization header is present
+// (e.g. claude.ai connectors which do not inject Bearer tokens).
+func BearerMiddleware(giteaBaseURL, defaultToken string, next http.Handler) http.Handler {
 	hc := &http.Client{Timeout: 5 * time.Second}
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		token, ok := strings.CutPrefix(r.Header.Get("Authorization"), "Bearer ")
 		if !ok || token == "" {
-			http.Error(w, "unauthorized", http.StatusUnauthorized)
-			return
+			if defaultToken == "" {
+				http.Error(w, "unauthorized", http.StatusUnauthorized)
+				return
+			}
+			token = defaultToken
 		}
 		req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, giteaBaseURL+"/api/v1/user", nil)
 		if err != nil {