feat: unify recommend anonymous runtime guest auth

- Route recommended runtime launches through shared runtime guest token handling
- Extend recommend-page anonymous play beyond jump-hop
- Add regression coverage for runtime guest launch clients
- Update docs to reflect the full anonymous-play matrix

server-rs/crates/api-server/src/modules/auth.rs

@@ -4,7 +4,7 @@ use axum::{
 };
 
 use crate::{
-    auth::{attach_refresh_session_token, require_bearer_auth},
+    auth::{attach_refresh_session_token, issue_runtime_guest_token, require_bearer_auth},
     auth_me::auth_me,
     auth_public_user::{get_public_user_by_code, get_public_user_by_id},
     auth_sessions::{auth_sessions, revoke_auth_session},
@@ -65,6 +65,7 @@ pub fn router(state: AppState) -> Router<AppState> {
                 attach_refresh_session_token,
             )),
         )
+        .route("/api/auth/runtime-guest-token", post(issue_runtime_guest_token))
         .route("/api/auth/phone/send-code", post(send_phone_code))
         .route("/api/auth/phone/login", post(phone_login))
         .route("/api/auth/wechat/start", get(start_wechat_login))

server-rs/crates/api-server/src/modules/jump_hop.rs

@@ -4,7 +4,7 @@ use axum::{
 };
 
 use crate::{
-    auth::{attach_optional_bearer_auth, require_bearer_auth},
+    auth::{require_bearer_auth, require_runtime_principal_auth},
     jump_hop::{
         create_jump_hop_session, execute_jump_hop_action, get_jump_hop_gallery_detail,
         get_jump_hop_runtime_work, get_jump_hop_session, jump_hop_run_jump, list_jump_hop_gallery,
@@ -58,21 +58,21 @@ pub fn router(state: AppState) -> Router<AppState> {
             "/api/runtime/jump-hop/runs",
             post(start_jump_hop_run).route_layer(middleware::from_fn_with_state(
                 state.clone(),
-                attach_optional_bearer_auth,
+                require_runtime_principal_auth,
             )),
         )
         .route(
             "/api/runtime/jump-hop/runs/{run_id}/jump",
             post(jump_hop_run_jump).route_layer(middleware::from_fn_with_state(
                 state.clone(),
-                attach_optional_bearer_auth,
+                require_runtime_principal_auth,
             )),
         )
         .route(
             "/api/runtime/jump-hop/runs/{run_id}/restart",
             post(restart_jump_hop_run).route_layer(middleware::from_fn_with_state(
                 state.clone(),
-                attach_optional_bearer_auth,
+                require_runtime_principal_auth,
             )),
         )
         .route("/api/runtime/jump-hop/gallery", get(list_jump_hop_gallery))

server-rs/crates/api-server/src/modules/wooden_fish.rs

@@ -4,7 +4,7 @@ use axum::{
 };
 
 use crate::{
-    auth::require_bearer_auth,
+    auth::{require_bearer_auth, require_runtime_principal_auth},
     state::AppState,
     wooden_fish::{
         checkpoint_wooden_fish_run, create_wooden_fish_session, execute_wooden_fish_action,
@@ -52,21 +52,21 @@ pub fn router(state: AppState) -> Router<AppState> {
             "/api/runtime/wooden-fish/runs",
             post(start_wooden_fish_run).route_layer(middleware::from_fn_with_state(
                 state.clone(),
-                require_bearer_auth,
+                require_runtime_principal_auth,
             )),
         )
         .route(
             "/api/runtime/wooden-fish/runs/{run_id}/checkpoint",
             post(checkpoint_wooden_fish_run).route_layer(middleware::from_fn_with_state(
                 state.clone(),
-                require_bearer_auth,
+                require_runtime_principal_auth,
             )),
         )
         .route(
             "/api/runtime/wooden-fish/runs/{run_id}/finish",
             post(finish_wooden_fish_run).route_layer(middleware::from_fn_with_state(
                 state.clone(),
-                require_bearer_auth,
+                require_runtime_principal_auth,
             )),
         )
         .route(