[SECURITY] Require auth for production API GET endpoints unless demo mode is explicit

[m-khan-97]

Objective

Make API GET authentication production-aware so real cloud posture data is not public by default in deployed environments.

Why this matters

api/app.py currently treats every /api/* GET request as public. This is convenient for a public demo dashboard, but it is risky when the same backend is used with real Azure scan data.

Findings, resources, compliance status, drift events, CVE summaries, and prioritization output can reveal sensitive information about an organization's cloud environment. In production, those reads should require authentication unless the deployment explicitly opts into public demo mode.

Current behavior

In api/app.py, _is_public_get() returns true for all paths starting with /api/.

Docs also state that all /api/* GET routes are public.

Suggested implementation

1. Keep /health public.
2. Add an explicit public-demo flag, for example OPENSHIELD_PUBLIC_DEMO=true.
3. In production (OPENSHIELD_ENV=production or RENDER=true), require JWT auth for /api/* GET routes unless public demo mode is explicitly enabled.
4. Update docs so demo and production auth behavior are clearly separated.
5. Add tests for local demo, production authenticated GET, and production unauthenticated GET.

Files likely involved

• api/app.py
• docs/api-reference.md
• docs/api-render-deploy.md
• frontend/API_ENDPOINTS.txt
• tests/

Acceptance criteria

• /health remains public in all environments
• Production /api/* GET routes return 401 without a valid JWT by default
• Public demo mode can explicitly allow unauthenticated GET routes
• Frontend/live docs explain when JWT is required
• Tests cover default production behavior and explicit public demo behavior

Review pair

API and Backend: Safid + Ritik