fix: accept Authorization: Bearer in agent_auth_context_optional

The optional variant of get_agent_auth_context had accept_authorization=False,
which prevented agents using Authorization: Bearer from passing through the
ACTOR_DEP / BOARD_READ_DEP / TASK_DEP dependency chain.

This caused 401 on any agent route that resolves a board or task via the shared
ACTOR_DEP (e.g. PATCH /agent/boards/{id}/tasks/{id} and
POST /agent/boards/{id}/tasks/{id}/comments), even though the same token worked
fine on routes that use AGENT_CTX_DEP directly (accept_authorization=True).

Fix: set accept_authorization=True in get_agent_auth_context_optional so both
X-Agent-Token and Authorization: Bearer are accepted consistently.

Verified: PATCH and POST /comments now resolve board/task correctly when
Authorization: Bearer is used. No security regression — agent_token_hash
comparison rejects any non-agent bearer tokens.

backend/app/core/agent_auth.py

@@ -143,11 +143,19 @@ async def get_agent_auth_context_optional(
     authorization: str | None = Header(default=None, alias="Authorization"),
     session: AsyncSession = SESSION_DEP,
 ) -> AgentAuthContext | None:
-    """Optionally resolve agent auth context from `X-Agent-Token` only."""
+    """Optionally resolve agent auth context from `X-Agent-Token` or `Authorization: Bearer`.
+
+    Both `X-Agent-Token` and `Authorization: Bearer <token>` are accepted so that
+    routes depending on this function (e.g. board/task dependency resolvers) behave
+    consistently with `get_agent_auth_context`, which also accepts both headers.
+    Previously, `accept_authorization=False` caused 401 on any route that resolved
+    a board or task via the shared `ACTOR_DEP` chain (e.g. PATCH /tasks/{id},
+    POST /tasks/{id}/comments) when the caller used `Authorization: Bearer`.
+    """
     resolved = _resolve_agent_token(
         agent_token,
         authorization,
-        accept_authorization=False,
+        accept_authorization=True,
     )
     if not resolved:
         if agent_token: