Add router auth regression tests

[dceoy]

Summary

• add router-level auth coverage for GET /api/v1/symbols
• verify the endpoint returns 401 when auth is enabled and no API key is provided
• verify the endpoint remains reachable and is removed from OpenAPI security when MT5_API_KEY is unset

Verification

• ./scripts/qa.sh

Context

• reported runtime behavior showed /api/v1/symbols?group=*USD* returning a 503 when MT5_API_KEY was unset
• current source already has optional auth support; this PR locks the expected router-level behavior down with regression tests

[claude]

Good addition — the assert_not_called() check on the mock is particularly valuable here, confirming that auth rejection short-circuits before the MT5 layer is reached rather than just checking the status code. The OpenAPI schema assertion is also a nice low-cost regression guard.

Two items worth addressing:

1. Missing invalid-key test for symbols (inline comment on test_auth.py): the version endpoint covers all three auth cases (missing key, invalid key, valid key); the symbols additions only cover two. The invalid-key branch produces a distinct error shape that's worth locking down.

2. Note placement in docs/index.md (inline comment): the "Replace windows-host..." note sits after the uvicorn startup command rather than before the curl examples, which is slightly misleading.

The documentation switch from powershell/curl.exe to console/curl is a clear improvement for cross-platform readers.