fix(auth): reject implicit root fallback on tenant APIs

[Astro-Han]

Description

Reject implicit default/default fallback when the ROOT key calls tenant-scoped data APIs without explicit tenant headers.

This fixes the misleading success path behind issue #710: requests like add-resource, fs, and tenant-scoped debug APIs should fail fast instead of silently operating under the default tenant.

Related Issue

Fixes #710

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test update

Changes Made

• Add a guard in get_request_context() to require X-OpenViking-Account and X-OpenViking-User for ROOT requests to tenant-scoped APIs when auth is enabled
• Keep existing ROOT behavior for admin and monitoring/system routes that should still work without explicit tenant headers (/api/v1/admin/*, /api/v1/observer/*, /api/v1/debug/health, /api/v1/system/status, /api/v1/system/wait)
• Add regression tests covering authenticated mode, dev mode, tenant-scoped debug routes, and structured HTTP 400 responses

Testing

• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have tested this on the following platforms:
  • Linux
  • macOS
  • Windows

Commands run locally:

conda run -n openviking python -m ruff check openviking/server/auth.py tests/server/test_auth.py
conda run -n openviking python -m pytest tests/server/test_auth.py -q -k "root_tenant_scoped_requests or root_monitoring_requests or root_system_status_allows_implicit_default_identity or root_system_wait or root_debug_vector or dev_mode_root_tenant_scoped"

Note: I did not mark the full local test suite as passing because the local environment does not have the AGFS native library needed for the heavier server fixtures.

Checklist

• My code follows the project's coding style
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Screenshots (if applicable)

N/A

Additional Notes

This PR intentionally keeps the fix minimal and server-side only. It does not add new CLI/client configuration for account/user headers; it only prevents misleading success when ROOT requests tenant-scoped APIs without explicit tenant identity.