feat: make authentication optional — no tokens = no auth

When no api_tokens are configured (the new default), all endpoints
are accessible without authentication. The frontend detects this
via /api/health's auth_required field and skips the login form.

- Backend: auth.py skips verification when api_tokens is empty
- Frontend: shared getAuthHeaders()/hasCredentials() helpers replace
  scattered token logic across all JS modules
- Health endpoint exposes auth_required for frontend discovery
- config.example.yaml ships with tokens commented out
- CLI --show-token and startup log reflect disabled state

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

media_server/routes/health.py

@@ -5,6 +5,8 @@ from typing import Any
 
 from fastapi import APIRouter
 
+from ..auth import auth_enabled
+
 router = APIRouter(prefix="/api", tags=["health"])
 
 
@@ -19,4 +21,5 @@ async def health_check() -> dict[str, Any]:
         "status": "healthy",
         "platform": platform.system(),
         "version": "1.0.0",
+        "auth_required": auth_enabled(),
     }

media_server/routes/media.py

@@ -334,15 +334,16 @@ async def websocket_endpoint(
     - {"type": "get_status"} - Request current status
     """
     # Verify token
-    from ..auth import get_token_label, token_label_var
+    from ..auth import auth_enabled, get_token_label, token_label_var
 
-    label = get_token_label(token) if token else None
-    if label is None:
-        await websocket.close(code=4001, reason="Invalid authentication token")
-        return
-
-    # Set label in context for logging
-    token_label_var.set(label)
+    if auth_enabled():
+        label = get_token_label(token) if token else None
+        if label is None:
+            await websocket.close(code=4001, reason="Invalid authentication token")
+            return
+        token_label_var.set(label)
+    else:
+        token_label_var.set("anonymous")
 
     await ws_manager.connect(websocket)