feat(auth): replace cookie/api-key auth with JWT Bearer tokens, separate UI from API

- Add JWT Bearer token validation to Rust API via OIDC provider JWKS
  with automatic key rotation and 1-hour cache
- Remove x-api-key auth support and built-in web UI from furumi-web-player,
  leaving it as a pure API server
- Add /auth/token endpoint to Node player server to expose OIDC access
  tokens to the frontend
- Move Node player auth endpoints from /api/* to /auth/* to avoid
  path conflicts with Rust API
- Add static file serving to Node Express server for production
  single-container deployment
- Fix SameSite=Strict cookie issue breaking OIDC redirect flow (use Lax)
- Add Dockerfile.node-player with multi-stage Node.js build
- Add CI workflows for node-player Docker image (dev + release)
- Optimize Rust Dockerfiles with dependency caching layer
- Update docker-compose with OIDC env vars and OLLAMA_MODEL support
- Cherry-pick agent LLM client fixes from DEV branch

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Cargo.lock

@@ -1114,7 +1114,7 @@ dependencies = [
  "futures-core",
  "futures-util",
  "hmac",
- "jsonwebtoken",
+ "jsonwebtoken 10.3.0",
  "libc",
  "mime_guess",
  "ogg",
@@ -1152,6 +1152,7 @@ dependencies = [
  "base64 0.22.1",
  "clap",
  "hmac",
+ "jsonwebtoken 9.3.1",
  "mime_guess",
  "openidconnect",
  "rand 0.8.5",
@@ -1165,6 +1166,7 @@ dependencies = [
  "tokio",
  "tokio-util",
  "tower 0.4.13",
+ "tower-http",
  "tracing",
  "tracing-subscriber",
  "urlencoding",
@@ -1864,6 +1866,21 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "jsonwebtoken"
+version = "9.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde"
+dependencies = [
+ "base64 0.22.1",
+ "js-sys",
+ "pem",
+ "ring",
+ "serde",
+ "serde_json",
+ "simple_asn1",
+]
+
 [[package]]
 name = "jsonwebtoken"
 version = "10.3.0"