fix(auth): blank password field no longer clears auth; add Disable Auth button

The previous logic treated a blank password field as intent to clear auth,
which meant saving any other setting (model, send key, etc.) would silently
disable password protection.

New behavior:
- Blank password field + Save Settings = no change to auth (do nothing)
- Password field with content + Save = set/change password (unchanged)
- 'Disable Auth' button = explicit confirmation-gated clear (new)

UI changes:
- index.html: updated description text to 'Leave blank to keep current
  setting'; added 'Disable Auth' button (amber, shown only when auth active)
- panels.js: saveSettings() skips password logic entirely when field is blank;
  loadSettingsPanel() shows/hides both btnDisableAuth and btnSignOut based on
  auth_enabled; new disableAuth() function sends _clear_password:true after
  confirm() prompt and hides both auth buttons on success

Server: no logic changes needed; _clear_password handling in save_settings()
is now only triggered by the explicit Disable Auth action.

api/config.py

@@ -624,6 +624,9 @@ def save_settings(settings: dict) -> dict:
     if raw_pw and isinstance(raw_pw, str) and raw_pw.strip():
         salt = str(STATE_DIR).encode()
         current['password_hash'] = _hl.sha256(salt + raw_pw.strip().encode()).hexdigest()
+    # Handle _clear_password: explicitly disable auth
+    if settings.pop('_clear_password', False):
+        current['password_hash'] = None
     for k, v in settings.items():
         if k in _SETTINGS_ALLOWED_KEYS:
             # Validate enum-constrained keys

api/routes.py

@@ -374,7 +374,9 @@ def handle_post(handler, parsed):
 
     # ── Settings (POST) ──
     if parsed.path == '/api/settings':
-        return j(handler, save_settings(body))
+        saved = save_settings(body)
+        saved.pop('password_hash', None)  # never expose hash to client
+        return j(handler, saved)
 
     # ── Session pin (POST) ──
     if parsed.path == '/api/session/pin':