feat: make authentication optional — no tokens = no auth

When no api_tokens are configured (the new default), all endpoints
are accessible without authentication. The frontend detects this
via /api/health's auth_required field and skips the login form.

- Backend: auth.py skips verification when api_tokens is empty
- Frontend: shared getAuthHeaders()/hasCredentials() helpers replace
  scattered token logic across all JS modules
- Health endpoint exposes auth_required for frontend discovery
- config.example.yaml ships with tokens commented out
- CLI --show-token and startup log reflect disabled state

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

config.example.yaml

@@ -1,13 +1,14 @@
 # Media Server Configuration
 # Copy this file to config.yaml and customize as needed.
-# A secure token will be auto-generated on first run if not specified.
+# By default, authentication is DISABLED (no tokens = open access).
+# To enable auth, uncomment and configure the api_tokens section below.
 
 # API Tokens - Multiple tokens with friendly labels
 # This allows you to identify which client is making requests in the logs
-api_tokens:
-  home_assistant: "your-home-assistant-token-here"
-  mobile: "your-mobile-app-token-here"
-  web_ui: "your-web-ui-token-here"
+# api_tokens:
+#   home_assistant: "your-home-assistant-token-here"
+#   mobile: "your-mobile-app-token-here"
+#   web_ui: "your-web-ui-token-here"
 
 # Server settings
 host: "0.0.0.0"