feat: 引入 vmauth 鉴权与严格多租户

- 对外端口统一为 18428（vmauth 入口），VM 不再直接暴露宿主机端口
- 边缘 vmagent 与中央 Prometheus remote_write 增加 basic auth
- 支持 tenants.csv 驱动的 per-tenant 写入/查询隔离，并提供管理员跨租户只读查询
- 更新 Grafana provisioning 与部署/文档

Made-with: Cursor

central-server/docker-compose.yml

@@ -77,14 +77,25 @@ services:
     container_name: victoria-metrics
     restart: unless-stopped
     mem_limit: "64m"
-    ports:
-      - "${VICTORIAMETRICS_PORT:-8428}:8428"
     volumes:
       - ${VICTORIAMETRICS_DATA_DIR:-./data/victoria-metrics-data}:/victoria-metrics-data
     command:
       - '--storageDataPath=/victoria-metrics-data'
       - "--retentionPeriod=${VICTORIAMETRICS_RETENTION_PERIOD:-30d}"
-      - "--httpListenAddr=:${VICTORIAMETRICS_PORT:-8428}"
+
+  # vmauth：VictoriaMetrics 的鉴权/路由入口（对外只暴露 vmauth）
+  vmauth:
+    image: victoriametrics/vmauth:latest
+    container_name: vmauth
+    restart: unless-stopped
+    mem_limit: "64m"
+    ports:
+      - "${VICTORIAMETRICS_PORT:-18428}:8427"
+    volumes:
+      - ./config/vmauth/vmauth.yml:/etc/vmauth/vmauth.yml:ro
+    command:
+      - "-auth.config=/etc/vmauth/vmauth.yml"
+      - "-httpListenAddr=:8427"
 
   # GPS 标注助手（上传/下载 targets.csv，H5 采集 GPS + 天地图校验）
   topology-editor: