Add separate api_token_access_control_middleware that runs AFTER auth_middleware
so request.state.is_global_token is already set when checking permissions.

Final middleware execution order (FIRST to LAST on request):
1. ProxyHeadersMiddleware
2. SessionMiddleware
3. CORSMiddleware
4. tier_limit_middleware
5. api_token_access_control_middleware (NEW) - blocks global tokens from user endpoints
6. auth_middleware - sets is_global_token flag
7. dashboard_context_middleware - sets is_aisbf_cloud and welcome_shown

✅ Token security: Global tokens CANNOT access /api/u/* user endpoints
✅ Dashboard: Welcome modal and footer links work correctly
✅ Boot flow: Models load from providers.json on startup