Standalone mode unauthenticated by default

[raballew]

Description

--passphrase defaults to None at python/packages/jumpstarter-cli/jumpstarter_cli/run.py:245. Combined with --tls-grpc-insecure and 0.0.0.0 default binding, standalone mode exposes an unauthenticated, unencrypted gRPC server.

The PassphraseInterceptor at python/packages/jumpstarter/jumpstarter/exporter/auth.py:17-34 exists and works correctly, but defaults to disabled.

No warning is emitted when passphrase is absent (the most dangerous config), but a warning is present when passphrase is used without TLS (less dangerous) (run.py:107).

This applies ONLY to standalone mode; K8s mode has mandatory, non-disableable authentication.

Suggested Fix

• Generate random passphrase when --passphrase not provided
• Require explicit --unsafe-no-auth to disable authentication
• Warn when no passphrase and no TLS

[mangelajo]

I like the suggested fix, let's do it that way.

[ambient-code]

Fix Plan for #356

Problem: Standalone mode defaults to no passphrase authentication, exposing an unauthenticated gRPC server.

Changes in python/packages/jumpstarter-cli/jumpstarter_cli/run.py:

1. When --passphrase is not provided and --tls-grpc-listener is used, a random passphrase is auto-generated using secrets.token_urlsafe(32) and printed to stderr so the user can share it with clients.
2. A new --unsafe-no-auth flag is added to explicitly opt out of authentication (mutually exclusive with --passphrase).
3. Warnings are emitted when --unsafe-no-auth is used, with an extra-strong warning when combined with --tls-grpc-insecure (no auth + no TLS).
4. The existing warning about passphrase without TLS is preserved as-is.

This ensures standalone mode is authenticated by default while giving users an explicit escape hatch.

[ambient-code]

Fix submitted in PR #431: #431