feat(auth): token-based admin authentication for Playwright/CI (#105)

Add POST /api/auth/token — validates ADMIN_TOKEN env var, creates a 24h
session and sets the sid cookie so automated tools can access the admin
panel without Google OAuth. Admin login page gains a token input form.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.env.example

@@ -10,6 +10,32 @@ API_BASE_URL=http://localhost:3078
 WEB_BASE_URL=http://localhost:3000
 ML_SERVING_URL=http://localhost:8000
 
+# MLflow (mlops profile) — http://localhost:5000/mlflow in dev, https://o.alogins.net/mlflow in prod.
+# MLFLOW_ADMIN_PASSWORD seeds the admin account on first boot (changing it after first run
+# requires the MLflow UI or API — see infra/mlflow/basic_auth.ini).
+MLFLOW_URL=http://localhost:5000
+MLFLOW_ADMIN_PASSWORD=change-me
+# Public URL shown as link in the admin sidebar (must be NEXT_PUBLIC_ to reach the browser).
+NEXT_PUBLIC_MLFLOW_URL=http://localhost:5000
+
+# Airflow (mlops profile) — http://localhost:8080/airflow in dev.
+# Start with: docker compose --profile full --profile mlops up
+AIRFLOW_URL=http://localhost:8080
+AIRFLOW_ADMIN_PASSWORD=change-me
+AIRFLOW_DB_PASSWORD=airflow
+AIRFLOW_SECRET_KEY=change-me-in-prod
+AIRFLOW_FERNET_KEY=
+AIRFLOW_BASE_URL=https://o.alogins.net/airflow
+# Public URL shown as link in the admin sidebar (must be NEXT_PUBLIC_ to reach the browser).
+NEXT_PUBLIC_AIRFLOW_URL=http://localhost:8080
+
+# Shared secret for Airflow→API internal callbacks. Generate: openssl rand -hex 32
+INTERNAL_API_TOKEN=
+
+# Static token for automated/service access to the admin panel (e.g. Playwright tests).
+# Leave empty to disable token-based login. Generate: openssl rand -hex 32
+ADMIN_TOKEN=
+
 # AI stack — shared Agap services (ollama + litellm + langfuse). Not run from oO.
 # Prod: https://llm.alogins.net  |  Dev: http://host.docker.internal:4000 from containers,
 # http://localhost:4000 from host. Ollama: http://host.docker.internal:11434 / :11434.