feat: Phase 9 — Offline Detection, API Key Auth, Agent Self-Update

Offline Detection (9.1):
- AgentOfflineDetectorService: BackgroundService, prüft alle 60s
  ob Agents seit >5 min kein Heartbeat hatten → Status=Offline
- IServiceScopeFactory für korrektes Scoped-DI im Singleton
- SignalR-Push AgentStatusChanged bei jeder Offline-Markierung

API Key Auth (9.2):
- ApiKeyMiddleware: prüft X-Api-Key Header gegen Security:ApiKey Config
- Deaktiviert wenn ApiKey leer (Dev-Modus), Swagger/hubs bypassed
- Frontend: getApiKey() aus localStorage, automatisch in allen Requests
- Settings-Modal in Sidebar: API-Key eingeben + maskiert anzeigen

Agent Self-Update (9.3):
- internal/updater/updater.go: CheckForUpdate() + Update()
  Download, SHA256-Verify, Windows Batch-Neustart / Linux Shell-Neustart
- AgentReleasesController: GET /api/v1/agent/releases/latest,
  GET /api/v1/agent/releases/download/{platform}
- AgentReleaseOptions: LatestVersion, ReleasePath, Checksum in appsettings
- executeCommand() erhält cfg *Config statt agentID string
  (für ServerAddress-Ableitung im UpdateAgent-Case)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Frontend/src/api/client.ts

@@ -20,9 +20,18 @@ import type {
 
 const BASE_URL = '/api/v1'
 
+// API-Key aus localStorage lesen (leer = Auth deaktiviert)
+function getApiKey(): string {
+  return localStorage.getItem('nexusrmm_api_key') ?? ''
+}
+
 async function request<T>(path: string, options?: RequestInit): Promise<T> {
   const res = await fetch(`${BASE_URL}${path}`, {
-    headers: { 'Content-Type': 'application/json', ...options?.headers },
+    headers: {
+      'Content-Type': 'application/json',
+      ...(getApiKey() ? { 'X-Api-Key': getApiKey() } : {}),
+      ...options?.headers
+    },
     ...options,
   })
   if (!res.ok) {