feat(api): add authentication and analytics endpoints

Protect all analysis endpoints with JWT authentication:
- Require valid access token for analysis operations
- Add CORS middleware for React frontend (localhost:3000, 5173)

Add auth endpoints:
- POST /auth/register - user registration (first user becomes admin)
- POST /auth/login - JWT token issuance
- POST /auth/refresh - token refresh
- GET /auth/me - current user info

Add admin endpoints:
- GET /admin/users - list all users
- PATCH /admin/users/{id}/role - update user role
- DELETE /admin/users/{id} - delete user

Add analytics endpoint:
- GET /analytics - usage statistics by company and type

Update .env.example with USE_CACHE and JWT_SECRET config

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.env.example

@@ -6,11 +6,16 @@ API_KEY=your_serpapi_key_here
 # OpenRouter API key for LLM analysis
 OPENROUTER_API_KEY=your_openrouter_key_here
 
-# Database configuration (for docker-compose setup)
+# Database configuration
+# All messages are stored in the database for persistence and caching
 DATABASE_URL=postgresql://postgres:postgres@localhost:5432/sparc
 
-# Toggle between database mode and API mode
-# When USE_DATABASE=true: stores all messages in database instead of sending to OpenRouter
-# When USE_DATABASE=false: sends messages to OpenRouter API as normal
-# Default: false
-USE_DATABASE=false
+# Cache configuration
+# When USE_CACHE=true: check database for cached responses before making API calls
+# When USE_CACHE=false: always make fresh API calls (still stores results in database)
+# Default: true
+USE_CACHE=true
+
+# JWT Secret for authentication
+# IMPORTANT: Change this to a secure random string in production
+JWT_SECRET=your-secure-jwt-secret-change-in-production