Fix Zabbix API token auth for Zabbix 6.4+

Zabbix 6.4+ rejects API tokens in the JSON-RPC "auth" field.
Tokens must now be sent as "Authorization: Bearer <token>" HTTP header.
User/password sessions still use the payload auth field as before.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/zabbix.py

@@ -37,9 +37,14 @@ class ZabbixClient:
     def _call(self, method, params):
         self._id += 1
         payload = {'jsonrpc': '2.0', 'method': method, 'params': params, 'id': self._id}
-        if self._auth:
+        headers = {}
+        if ZABBIX_API_TOKEN:
+            # Zabbix 6.4+: API tokens go in the Authorization header, not the payload
+            headers['Authorization'] = f'Bearer {ZABBIX_API_TOKEN}'
+        elif self._auth:
+            # Zabbix < 6.4 / user+password sessions: auth goes in the JSON-RPC payload
             payload['auth'] = self._auth
-        resp = requests.post(self._url, json=payload, timeout=30)
+        resp = requests.post(self._url, json=payload, headers=headers, timeout=30)
         resp.raise_for_status()
         body = resp.json()
         if 'error' in body:
@@ -48,7 +53,7 @@ class ZabbixClient:
 
     def login(self):
         if ZABBIX_API_TOKEN:
-            self._auth = ZABBIX_API_TOKEN   # API token used directly — no session needed
+            pass  # token is sent via Authorization header in every _call — no login needed
         else:
             self._auth = self._call('user.login', {'user': ZABBIX_USER, 'password': ZABBIX_PASSWORD})