feat: allow Sanctum-authenticated sessions through VerifyApiKey middleware

Enables stateful API via Sanctum so the Vue SPA can call /api/* routes
using cookie auth, without requiring an X-Api-Key header.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/Feature/VerifyApiKeyMiddlewareTest.php

@@ -0,0 +1,29 @@
+<?php
+
+use App\Models\User;
+use Laravel\Sanctum\Sanctum;
+
+it('rejects requests without api key or sanctum session', function (): void {
+    $response = $this->getJson('/api/stations?postcode=SW1A1AA&fuel_type=petrol');
+
+    $response->assertStatus(403);
+});
+
+it('accepts requests with valid api key', function (): void {
+    config(['app.api_secret_key' => 'test-secret']);
+
+    $response = $this->withHeader('X-Api-Key', 'test-secret')
+        ->getJson('/api/stations?postcode=SW1A1AA&fuel_type=petrol');
+
+    // 403 would mean middleware rejected — any other status means it passed through
+    expect($response->status())->not->toBe(403);
+});
+
+it('accepts requests from sanctum authenticated users', function (): void {
+    $user = User::factory()->create();
+    Sanctum::actingAs($user);
+
+    $response = $this->getJson('/api/stations?postcode=SW1A1AA&fuel_type=petrol');
+
+    expect($response->status())->not->toBe(403);
+});