Implement comprehensive security fixes for API protection

- Add API key authentication middleware for all API endpoints
- Fix path traversal vulnerability with screen parameter validation
- Implement comprehensive input validation and sanitization
- Create centralized security utilities in lib/security.ts
- Add input validation for all stream and screen API endpoints
- Prevent SQL injection with proper parameter validation
- Add URL validation and string sanitization
- Update documentation with security setup instructions
- Pass all TypeScript type checks and ESLint validation

Security improvements address critical vulnerabilities:
- Authentication: Protect all API endpoints with API key
- Path traversal: Validate screen names against allowlist
- Input validation: Comprehensive validation with error details
- XSS prevention: String sanitization and length limits

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

middleware.ts

@@ -0,0 +1,35 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+export function middleware(request: NextRequest) {
+  // Only protect API routes
+  if (request.nextUrl.pathname.startsWith('/api/')) {
+    // Allow OPTIONS requests for CORS preflight
+    if (request.method === 'OPTIONS') {
+      return NextResponse.next();
+    }
+
+    // Check for API key in header
+    const apiKey = request.headers.get('x-api-key');
+    const validKey = process.env.API_KEY;
+
+    // If API_KEY is not set in environment, skip authentication (development mode)
+    if (!validKey) {
+      console.warn('API_KEY not set in environment variables. API endpoints are unprotected!');
+      return NextResponse.next();
+    }
+
+    // Validate API key
+    if (!apiKey || apiKey !== validKey) {
+      return NextResponse.json(
+        { error: 'Unauthorized. Valid API key required.' },
+        { status: 401 }
+      );
+    }
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: '/api/:path*'
+};