feat: 引入 vmauth 鉴权与严格多租户

- 对外端口统一为 18428（vmauth 入口），VM 不再直接暴露宿主机端口
- 边缘 vmagent 与中央 Prometheus remote_write 增加 basic auth
- 支持 tenants.csv 驱动的 per-tenant 写入/查询隔离，并提供管理员跨租户只读查询
- 更新 Grafana provisioning 与部署/文档

Made-with: Cursor

edge-agent/docker-compose.yml

@@ -10,7 +10,9 @@ services:
     restart: unless-stopped
     environment:
       - CENTRAL_SERVER_HOST=${CENTRAL_SERVER_HOST:-192.168.1.10}
-      - CENTRAL_SERVER_PORT=${CENTRAL_SERVER_PORT:-8428}
+      - CENTRAL_SERVER_PORT=${CENTRAL_SERVER_PORT:-18428}
+      - VMAUTH_WRITE_USER=${VMAUTH_WRITE_USER:-vm_write}
+      - VMAUTH_WRITE_PASSWORD=${VMAUTH_WRITE_PASSWORD:-change-me-strong-write}
     volumes:
       - vmagent-cache-data:/cache
       - ./config/vmagent/vmagent-scrape.yml.template:/etc/vmagent/scrape.yml:ro
@@ -25,6 +27,8 @@ services:
     command:
       - -promscrape.config=/etc/vmagent/scrape.yml
       - -remoteWrite.url=http://${CENTRAL_SERVER_HOST}:${CENTRAL_SERVER_PORT}/api/v1/write
+      - -remoteWrite.basicAuth.username=${VMAUTH_WRITE_USER}
+      - -remoteWrite.basicAuth.password=${VMAUTH_WRITE_PASSWORD}
       - -remoteWrite.tmpDataPath=/cache/remotewrite
       - -remoteWrite.maxDiskUsagePerURL=512MB
       - -memory.allowedPercent=80