- Bearer token auth via --token flag or DREAMDICT_TOKEN env var - Timing-safe comparison with crypto/subtle - /health exempt for monitoring without credentials - 401 response for missing/invalid tokens - Auth disabled when no token configured (backwards compatible) - Remove debug logging from cetempublico loader Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>