Require auth for runtime status/log endpoints when bound beyond localhost

[techmore]

Problem\nSeveral runtime endpoints return operational data without auth (status, settings summary, logs). If NMAPUI_HOST is set to 0.0.0.0 or otherwise exposed, these endpoints can leak operational details without credentials.\n\n## Evidence\n- /api/runtime/status, /api/runtime/settings-summary, /api/runtime/logs are not protected by require_auth (nmapui/handlers/routes.py).\n\n## Proposed Fix\n- Enforce require_auth on runtime endpoints whenever request_is_local_ui() is false.\n- Optionally gate with a config flag to keep local-only UX friction low.\n- Add explicit tests for unauthorized access when binding to non-loopback interfaces.\n\n## Notes\nThis aligns with the existing authentication model and avoids exposing runtime logs and configuration summaries to the network.

[techmore]

Tracking under #164 (Security hardening).

[techmore]

Fixed in 9c3a17e — added @require_auth to /api/runtime/status, /api/runtime/settings-summary, and /api/runtime/logs. The decorator already short-circuits for local loopback requests via request_is_local_ui(), so local UI behavior is unchanged. Tests updated to simulate local-UI context.