Remove operator auth — trust the LAN

Can't log in from a fresh LXC deploy, and the service is LAN-only by
design. Rip out the whole bcrypt-password / signed-cookie session
layer: internal/auth, login templates, gen-admin-password binary +
Makefile targets, auth config block, login/logout routes and the
RequireSession middleware wrap. Agent bearer-token auth on
/api/v1/runs/{id}/* is untouched.

Operators who want a password can front the service with a reverse
proxy — noted in README and docs/operations.md.

internal/config/config.go

@@ -1,7 +1,6 @@
 package config
 
 import (
-	"encoding/hex"
 	"fmt"
 	"os"
 
@@ -13,7 +12,6 @@ type Config struct {
 	Database   Database   `yaml:"database"`
 	Artifacts  Artifacts  `yaml:"artifacts"`
 	Logs       Logs       `yaml:"logs"`
-	Auth       Auth       `yaml:"auth"`
 	Dispatcher Dispatcher `yaml:"dispatcher"`
 	Janitor    Janitor    `yaml:"janitor"`
 	PXE        PXE        `yaml:"pxe"`
@@ -52,23 +50,6 @@ type Janitor struct {
 	IntervalMinutes int `yaml:"interval_minutes"` // 0 = 60
 }
 
-type Auth struct {
-	AdminPasswordBcrypt string `yaml:"admin_password_bcrypt"`
-	SessionSecretHex    string `yaml:"session_secret_hex"`
-	SessionTTLHours     int    `yaml:"session_ttl_hours"`
-}
-
-func (a Auth) SessionSecret() ([]byte, error) {
-	b, err := hex.DecodeString(a.SessionSecretHex)
-	if err != nil {
-		return nil, fmt.Errorf("session_secret_hex: %w", err)
-	}
-	if len(b) < 32 {
-		return nil, fmt.Errorf("session_secret_hex must decode to at least 32 bytes, got %d", len(b))
-	}
-	return b, nil
-}
-
 type Dispatcher struct {
 	MaxConcurrentRuns int `yaml:"max_concurrent_runs"`
 }
@@ -132,9 +113,6 @@ func Load(path string) (*Config, error) {
 	if c.Logs.Dir == "" {
 		c.Logs.Dir = "./var/logs"
 	}
-	if c.Auth.SessionTTLHours == 0 {
-		c.Auth.SessionTTLHours = 24
-	}
 	if c.Dispatcher.MaxConcurrentRuns == 0 {
 		c.Dispatcher.MaxConcurrentRuns = 3
 	}