refactor: replace global API_KEY with per-app clientApiKey

Remove global API_KEY env var and its validation in checkAuth.
Auth via x-api-key now exclusively uses clientApiKey per-app
validated inline on POST /api/bugs.

src/app.ts

@@ -36,13 +36,6 @@ async function checkAuth(request: Request): Promise<AuthResult | null> {
     }
   }
 
-  const apiKey = request.headers.get('x-api-key')
-  if (apiKey && apiKey === env.API_KEY) {
-    const developer = await prisma.user.findFirst({ where: { role: 'DEVELOPER' } })
-    if (!developer) return null
-    return { actingUserId: developer.id, reporterUserId: null, isApiKey: true }
-  }
-
   return null
 }
 
@@ -885,7 +878,7 @@ export function createApp() {
         set.status = 401
         return { error: 'Unauthorized: provide session cookie or valid X-API-Key' }
       }
-      const { actingUserId, reporterUserId, isApiKey } = auth
+      const { actingUserId, reporterUserId } = auth
 
       const bug = await prisma.bug.create({
         data: {

src/lib/env.ts

@@ -17,7 +17,6 @@ export const env = {
   GOOGLE_CLIENT_ID: required('GOOGLE_CLIENT_ID'),
   GOOGLE_CLIENT_SECRET: required('GOOGLE_CLIENT_SECRET'),
   SUPER_ADMIN_EMAILS: optional('SUPER_ADMIN_EMAIL', '').split(',').map(e => e.trim()).filter(Boolean),
-  API_KEY: required('API_KEY'),
   MINIO_ENDPOINT: required('MINIO_ENDPOINT'),
   MINIO_PORT: parseInt(optional('MINIO_PORT', '443'), 10),
   MINIO_USE_SSL: optional('MINIO_USE_SSL', 'true') === 'true',