feat: make authentication optional — no tokens = no auth

When no api_tokens are configured (the new default), all endpoints
are accessible without authentication. The frontend detects this
via /api/health's auth_required field and skips the login form.

- Backend: auth.py skips verification when api_tokens is empty
- Frontend: shared getAuthHeaders()/hasCredentials() helpers replace
  scattered token logic across all JS modules
- Health endpoint exposes auth_required for frontend discovery
- config.example.yaml ships with tokens commented out
- CLI --show-token and startup log reflect disabled state

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

media_server/routes/health.py

@@ -5,6 +5,8 @@ from typing import Any
 
 from fastapi import APIRouter
 
+from ..auth import auth_enabled
+
 router = APIRouter(prefix="/api", tags=["health"])
 
 
@@ -19,4 +21,5 @@ async def health_check() -> dict[str, Any]:
         "status": "healthy",
         "platform": platform.system(),
         "version": "1.0.0",
+        "auth_required": auth_enabled(),
     }