fix(api): bind the v1 role guard to a verified agent token

[rennf93]

Supersedes #222 — credit to antfleet-ops for flagging the bypass. Re-done as our own change so it lands without the contributor CLA, and adds the positive valid-token test their PR was missing.

The v1 flow role guards (_require_roles) are the sole gate for /api/v1/flow/* but checked only the X-Agent-Role string — unlike get_agent_context, which verifies the token. So a forged role header passed, and in strict mode (ROBOCO_AGENT_AUTH_REQUIRED) the token was never required here. Now calls _check_agent_auth_token before the role test: missing token stays a no-op in header-trust mode, any presented token is verified, strict mode requires it.

Once this merges, #222 should be closed with a link here.

[github-actions]

Thanks for opening your first pull request on RoboCo!

Quick checklist before review (most of these are enforced by CI, but worth a glance):

• make quality — ruff format check, ruff check, mypy, pytest (≥80% coverage), and the rest of the gate
• Panel changes pass pnpm lint and pnpm exec tsc --noEmit (run from panel/)
• No # noqa / # type: ignore shortcuts; pre-existing violations in touched files are fixed
• Added an entry under ## [Unreleased] in CHANGELOG.md
• Signed the CLA (the bot will prompt you on this PR)
• Signed your commits — master requires verified signatures (SSH signing setup)
• Updated any affected docs under docs/

See CONTRIBUTING.md for the full workflow and the Code of Conduct for the community standards we follow.

Welcome aboard — a maintainer will review shortly.