fix: close two CSRF origin-check security gaps

- Extend origin check to all /api/ requests (not just state-changing methods),
  closing the GET/HEAD/OPTIONS bypass that allowed cross-origin reads
- origin_allowed() now returns False when both Origin and Referer headers
  are absent, preventing script-initiated requests from bypassing the check
- Update AGENTS.md and README.md to document the changes

app.py

@@ -102,7 +102,7 @@ async def session_auth_middleware(request: Request, call_next):
         "/api/auth/heartbeat", "/api/auth/guest",
     }
 
-    if path.startswith("/api/") and is_state_changing(request.method):
+    if path.startswith("/api/"):
         if not origin_allowed(request):
             audit_event("origin_check", "denied", ip=ip, role="none",
                         details=f"{request.method} {path}", warning=True)