feat(auth): replace cookie/api-key auth with JWT Bearer tokens, separate UI from API

- Add JWT Bearer token validation to Rust API via OIDC provider JWKS
  with automatic key rotation and 1-hour cache
- Remove x-api-key auth support and built-in web UI from furumi-web-player,
  leaving it as a pure API server
- Add /auth/token endpoint to Node player server to expose OIDC access
  tokens to the frontend
- Move Node player auth endpoints from /api/* to /auth/* to avoid
  path conflicts with Rust API
- Add static file serving to Node Express server for production
  single-container deployment
- Fix SameSite=Strict cookie issue breaking OIDC redirect flow (use Lax)
- Add Dockerfile.node-player with multi-stage Node.js build
- Add CI workflows for node-player Docker image (dev + release)
- Optimize Rust Dockerfiles with dependency caching layer
- Update docker-compose with OIDC env vars and OLLAMA_MODEL support
- Cherry-pick agent LLM client fixes from DEV branch

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

furumi-node-player/client/src/furumiApi.ts

@@ -1,16 +1,21 @@
 import axios from 'axios'
 import type { Album, Artist, SearchResult, Track, TrackDetail } from './types'
 
-const API_BASE = import.meta.env.VITE_API_BASE_URL ?? ''
-export const API_ROOT = `${API_BASE}/api`
-
-const API_KEY = import.meta.env.VITE_API_KEY
+const FURUMI_API_BASE = import.meta.env.VITE_FURUMI_API_URL ?? ''
+export const API_ROOT = `${FURUMI_API_BASE}/api`
 
 export const furumiApi = axios.create({
   baseURL: API_ROOT,
-  headers: API_KEY ? { 'x-api-key': API_KEY } : {},
 })
 
+export function setAuthToken(token: string) {
+  furumiApi.defaults.headers.common['Authorization'] = `Bearer ${token}`
+}
+
+export function clearAuthToken() {
+  delete furumiApi.defaults.headers.common['Authorization']
+}
+
 export async function getArtists(): Promise<Artist[] | null> {
   const res = await furumiApi.get<Artist[]>('/artists').catch(() => null)
   return res?.data ?? null