OJP token auth is now live

We switched FOMO Sun transit calls to support bearer token authentication for OJP/OpenTransportData-compatible endpoints.

What changed: the app now reads OJP_API_TOKEN (with OPENTRANSPORTDATA_API_TOKEN fallback) and sends Authorization: Bearer <token> on requests in src/lib/sbb-connections.ts.

Why this matters: authenticated calls reduce quota/rate-limit friction and make travel-time results more stable under load.

What stays the same: current routing behavior is unchanged and still uses the existing connections endpoint path; this update is auth hardening, not a scoring or UX change.

Next step: evaluate native OJP 2.0 trip requests for richer routing semantics once we complete side-by-side quality checks.