Harden security, modularize API bootstrap, and fix scale SSE auth.

Block web access to sensitive paths, require API_TOKEN for mutations, encrypt GitHub issue credentials in .env, auto-provision tokens for same-origin clients, and pass api_token in scale relay URLs since EventSource cannot send headers.

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/fix-permissions.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# Fix ownership and permissions for EverShelf runtime directories.
+set -euo pipefail
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+WEB_USER="${WEB_USER:-www-data}"
+
+chown -R "${WEB_USER}:${WEB_USER}" "${ROOT}/data" "${ROOT}/logs" 2>/dev/null || true
+chmod 750 "${ROOT}/data" "${ROOT}/logs"
+chmod 640 "${ROOT}/.env" 2>/dev/null || true
+find "${ROOT}/data" -type f -exec chmod 660 {} \;
+find "${ROOT}/logs" -type f -exec chmod 640 {} \;
+echo "Permissions updated for ${WEB_USER}"