AI endpoint auth contract + production hardening (ai-001)

[jaeyunha]

AI endpoint auth contract plus production-readiness hardening (health liveness/readiness split, HTTPS config validation, prod Dockerfiles/IaC).

—
Preserved from QA-worktree cleanup on 2026-06-16. Web QA: biome lint clean; vitest green where unit tests exist. Rust build/test not run locally (would regenerate large target dirs). Opened against staging for review.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3222c996e3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update AI docs for required authentication

This switches the repository AI endpoint from optional to mandatory auth, and the same pattern is repeated for the PR and changelog handlers below, but the user-facing API catalog still says auth is “Optional signed opengithub session cookie” for all three AI endpoints (web/src/lib/api-docs.ts:96, web/src/lib/api-docs.ts:120, web/src/lib/api-docs.ts:139). Clients following /docs/api for public repositories will now make unauthenticated calls and receive 401 not_authenticated, so the docs/examples should be updated to describe the required session/PAT contract.

Useful? React with 👍 / 👎.