feat: track authorized (authenticated + successful) requests

Add 'authorized' status for requests that complete successfully after
authentication. This complements the existing 'unauthenticated' (pre-auth)
status tracking.

Now the dashboard shows:
- Authorized: Authenticated requests that succeeded
- Unauthorized: Authenticated requests rejected (not in allowlist)
- Pre-Auth: Requests sent before authentication

This gives full visibility into the auth flow:
1. Challenges: How many clients authenticated
2. Authorized: How many authenticated requests succeeded
3. Unauthorized: How many were rejected despite valid auth
4. Pre-Auth: How many tried before authenticating

Updated metrics:
- requests_total{status="authorized"} - authenticated successes
- requests_total{status="ok"} - unauthenticated successes (when no auth)

1 files changed, 12 insertions, 2 deletions

diff --git a/internal/handler/websocket/handler.go b/internal/handler/websocket/handler.go
index dfe7b9e..909e2ec 100644
--- a/internal/handler/websocket/handler.go
+++ b/internal/handler/websocket/handler.go
@@ -348,7 +348,12 @@ func (h *Handler) handleEvent(ctx context.Context, conn *websocket.Conn, raw []j
 
         h.subs.MatchAndFan(pbEvent)
 
-        status = "ok"
+        // Track whether request was authenticated for metrics
+        if state.authenticatedPubkey != "" {
+                status = "authorized"
+        } else {
+                status = "ok"
+        }
         h.sendOK(ctx, conn, event.ID, true, "")
         return nil
 }
@@ -448,7 +453,12 @@ func (h *Handler) handleReq(ctx context.Context, conn *websocket.Conn, raw []jso
 
         go h.streamEvents(ctx, conn, sub)
 
-        status = "ok"
+        // Track whether request was authenticated for metrics
+        if state.authenticatedPubkey != "" {
+                status = "authorized"
+        } else {
+                status = "ok"
+        }
         return nil
 }