Resolve conflict between token security and dashboard functionality

Add separate api_token_access_control_middleware that runs AFTER auth_middleware
so request.state.is_global_token is already set when checking permissions.

Final middleware execution order (FIRST to LAST on request):
1. ProxyHeadersMiddleware
2. SessionMiddleware
3. CORSMiddleware
4. tier_limit_middleware
5. api_token_access_control_middleware (NEW) - blocks global tokens from user endpoints
6. auth_middleware - sets is_global_token flag
7. dashboard_context_middleware - sets is_aisbf_cloud and welcome_shown

✅ Token security: Global tokens CANNOT access /api/u/* user endpoints
✅ Dashboard: Welcome modal and footer links work correctly
✅ Boot flow: Models load from providers.json on startup

main.py

@@ -1430,6 +1430,44 @@ async def auth_middleware(request: Request, call_next):
     return response
 
 
+# Global API Token Access Control Middleware
+@app.middleware("http")
+async def api_token_access_control_middleware(request: Request, call_next):
+    """Block global tokens from accessing user-specific endpoints"""
+    
+    # Only apply to API and MCP endpoints
+    if (request.url.path.startswith("/api/u/") or 
+        request.url.path.startswith("/mcp/u/") or
+        request.url.path.startswith("/api/v1/u/") or
+        request.url.path.startswith("/mcp/v1/u/")):
+        
+        is_global_token = getattr(request.state, 'is_global_token', False)
+        user_id = getattr(request.state, 'user_id', None)
+        
+        if is_global_token:
+            return JSONResponse(
+                status_code=403,
+                content={"error": "Global tokens cannot access user-specific endpoints. Use the user's own API token."}
+            )
+        
+        # Extract username from path and verify ownership
+        path_parts = request.url.path.split('/')
+        if len(path_parts) >= 4 and path_parts[2] == 'u':
+            target_username = path_parts[3]
+            
+            db = DatabaseRegistry.get_config_database()
+            authenticated_user = db.get_user_by_id(user_id)
+            
+            if not authenticated_user or authenticated_user['username'] != target_username:
+                return JSONResponse(
+                    status_code=403,
+                    content={"error": "You can only access your own user-specific endpoints."}
+                )
+    
+    response = await call_next(request)
+    return response
+
+
 # Account Tier Limit Enforcement Middleware
 @app.middleware("http")
 async def tier_limit_middleware(request: Request, call_next):