feat: secure Docker self-host auth

[ignitabull18]

Summary

• make Docker/Coolify self-hosting default to AUTH_MODE=cloudflare_access instead of local_noauth
• pass TEAM_DOMAIN and POLICY_AUD through compose with CLOUDFLARE_INCLUDE_PROCESS_ENV=true
• add explicit Cloudflare Access config validation with clear missing-variable errors
• keep local_noauth as an explicit trusted-local mode only
• align MCP self-host auth with app auth and allow cf-access-jwt-assertion in MCP CORS headers
• update README and Docker self-host docs with Coolify/Cloudflare Access setup and manual verification steps

Test Plan

• pnpm vitest run src/lib/self-host-auth-config.test.ts
• pnpm vitest run src/server/mcp/transport.test.ts
• pnpm test
• pnpm run lint
• pnpm run types:check
• pnpm run build
• DATAFORSEO_API_KEY=dummy TEAM_DOMAIN=https://team.cloudflareaccess.com POLICY_AUD=test-aud docker compose config

Mission Control: TASK-1920

[ignitabull18]

Post-implementation handoff: local verification passed before opening this PR: pnpm vitest run src/lib/self-host-auth-config.test.ts src/server/mcp/transport.test.ts; pnpm test; pnpm run lint; pnpm run types:check; pnpm run build; docker compose config confirmed secure Cloudflare Access env passthrough. Attempted merge from PC agent, but GitHub denied MergePullRequest permission for ignitabull18 on every-app/open-seo. PR remains mergeable and ready for repository maintainer merge.

[bensenescu]

Can you explain your self hosting set up here? Is it coolify with Cloudflare Access in front?

I don't want to change the default for docker since the intention that it should work with just a DataForSEO API Key, but maybe we can make the documentation clearer about other hosting options.