feat: sécurité HIGH — token Bearer, validation, rate limiting, headers

- Token Bearer auth sur le streaming server (auto-généré ou env var)
- Validation actions replay (types, longueurs, coordonnées 0-1)
- Rate limiting in-memory (10 replays/min, 200 images/min)
- Security headers Flask (nosniff, SAMEORIGIN, XSS)
- Validation uploads (50MB max, MIME type)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

agent_v0/agent_v1/config.py

@@ -25,6 +25,10 @@ SERVER_URL = os.getenv("RPA_SERVER_URL", "http://localhost:5005/api/v1")
 UPLOAD_ENDPOINT = f"{SERVER_URL}/traces/upload"
 STREAMING_ENDPOINT = f"{SERVER_URL}/traces/stream"
 
+# Token d'authentification API (doit correspondre au token du serveur)
+# Configurable via variable d'environnement RPA_API_TOKEN
+API_TOKEN = os.environ.get("RPA_API_TOKEN", "")
+
 # Paramètres de session
 MAX_SESSION_DURATION_S = 60 * 60  # 1 heure
 SESSIONS_ROOT = BASE_DIR / "sessions"