fix(gateway): enforce API key auth on inventory and budget services (#5)

- Added X-API-Key middleware to inventory-service and budget-service
- Services reject all requests without valid API key (401)
- Gateway proxy injects service API keys for inventory and budget
- Dashboard widget fetchers inject API keys
- Generated unique API keys per service, stored in .env
- Added SERVICE_API_KEY env var to docker-compose for both services

Partial fix for #5 — internal services now require auth.
Remaining: document trust model, validate service token semantics.

gateway/server.py

@@ -283,16 +283,21 @@ class GatewayHandler(ResponseMixin, BaseHTTPRequestHandler):
             self._send_json({"error": "Unknown service"}, 404)
             return
 
-        from config import MINIFLUX_API_KEY
+        from config import MINIFLUX_API_KEY, INVENTORY_SERVICE_API_KEY, BUDGET_SERVICE_API_KEY
         headers = {}
         ct = self.headers.get("Content-Type")
         if ct:
             headers["Content-Type"] = ct
 
+        # Inject service-level auth
         if service_id == "reader" and MINIFLUX_API_KEY:
             headers["X-Auth-Token"] = MINIFLUX_API_KEY
         elif service_id == "trips" and TRIPS_API_TOKEN:
             headers["Authorization"] = f"Bearer {TRIPS_API_TOKEN}"
+        elif service_id == "inventory" and INVENTORY_SERVICE_API_KEY:
+            headers["X-API-Key"] = INVENTORY_SERVICE_API_KEY
+        elif service_id == "budget" and BUDGET_SERVICE_API_KEY:
+            headers["X-API-Key"] = BUDGET_SERVICE_API_KEY
         elif user:
             svc_token = get_service_token(user["id"], service_id)
             if svc_token: