- Bearer token auth via --token flag or DREAMDICT_TOKEN env var
- Timing-safe comparison with crypto/subtle
- /health exempt for monitoring without credentials
- 401 response for missing/invalid tokens
- Auth disabled when no token configured (backwards compatible)
- Remove debug logging from cetempublico loader
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>