feat: add --anthropic-auth-token option for API access protection

[Copilot]

Adds optional authentication to the copilot-api server. When --anthropic-auth-token is set, clients must provide a matching token via x-api-key or Authorization: Bearer header. Without it, behavior is unchanged.

Changes

• src/lib/auth-middleware.ts — New Hono middleware with timing-safe token comparison (crypto.timingSafeEqual). Skips validation when no token is configured.
• src/lib/state.ts — Added anthropicAuthToken to State
• src/server.ts — Applied auth middleware globally
• src/start.ts — Added --anthropic-auth-token CLI arg; Claude Code command generation now uses the configured token instead of hardcoded "dummy"

Usage

# Start server with auth
copilot-api start --anthropic-auth-token my-secret-token

# Clients authenticate via either header:
curl -H "x-api-key: my-secret-token" http://localhost:4141/v1/messages
curl -H "Authorization: Bearer my-secret-token" http://localhost:4141/v1/messages

Unauthenticated or incorrect tokens receive a 401 response:

{ "error": { "message": "Invalid or missing authentication token", "type": "authentication_error" } }

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.