feat: make authentication optional — no tokens = no auth

When no api_tokens are configured (the new default), all endpoints
are accessible without authentication. The frontend detects this
via /api/health's auth_required field and skips the login form.

- Backend: auth.py skips verification when api_tokens is empty
- Frontend: shared getAuthHeaders()/hasCredentials() helpers replace
  scattered token logic across all JS modules
- Health endpoint exposes auth_required for frontend discovery
- config.example.yaml ships with tokens commented out
- CLI --show-token and startup log reflect disabled state

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

media_server/static/js/app.js

@@ -13,6 +13,7 @@ import {
     togglePlayPause, nextTrack, previousTrack, toggleMute,
     VOLUME_THROTTLE_MS, VOLUME_RELEASE_DELAY_MS,
     changeLocale, t,
+    setAuthRequired,
 } from './core.js';
 
 // Layer 1: Player (tabs, theme, accent, vinyl, visualizer, UI)
@@ -160,8 +161,25 @@ window.addEventListener('DOMContentLoaded', async () => {
     // Load version from health endpoint
     fetchVersion();
 
+    // Check if authentication is required
+    let authReq = true;
+    try {
+        const healthResp = await fetch('/api/health');
+        const healthData = await healthResp.json();
+        authReq = healthData.auth_required !== false;
+    } catch { /* assume auth required on error */ }
+    setAuthRequired(authReq);
+
     const token = localStorage.getItem('media_server_token');
-    if (token) {
+    if (!authReq) {
+        // No auth required — connect directly without token
+        connectWebSocket('');
+        loadScripts();
+        loadScriptsTable();
+        loadCallbacksTable();
+        loadLinksTable();
+        loadAudioDevices();
+    } else if (token) {
         connectWebSocket(token);
         loadScripts();
         loadScriptsTable();