refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.

src/Framework/ApiGateway/HasAuth.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Framework\ApiGateway;
+
+use App\Framework\HttpClient\AuthConfig;
+
+/**
+ * Marker interface for API requests that require authentication
+ *
+ * Requests implementing this interface provide AuthConfig
+ * instead of manually building Authorization headers.
+ *
+ * Example:
+ *   final readonly class AuthenticatedApiRequest implements ApiRequest, HasAuth
+ *   {
+ *       public function getAuth(): AuthConfig
+ *       {
+ *           return AuthConfig::basic($username, $password);
+ *       }
+ *   }
+ */
+interface HasAuth
+{
+    /**
+     * Get authentication configuration
+     */
+    public function getAuth(): AuthConfig;
+}