api: drop bearer-token gate from /api/* CRUD + simulate

The SPA can't carry a Bearer header — there's no client-side mechanism
to obtain the RECOMPUTE_BEARER_TOKEN, and the value can't safely be
embedded in the JS bundle. Result: every POST/PATCH/DELETE on
scenarios/life-events/goals + every /simulate + /compare returned 401
in prod, breaking the SPA end-to-end.

Strip require_bearer from the routers. Authentik forward-auth on the
SPA path (/) is now the security boundary; /api/* is open at both
ingress + app level. Single-tenant personal tool — the data is
the user's own anonymous numeric projections.

Kept on /recompute (heavy admin batch in app.py) since that's an
operator action, not a user one.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fire_planner/api/goals.py

@@ -5,7 +5,6 @@ from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy import delete, select
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from fire_planner.api.auth import require_bearer
 from fire_planner.api.dependencies import get_session
 from fire_planner.api.schemas import GoalCreate, GoalOut
 from fire_planner.db import RetirementGoal, Scenario
@@ -34,7 +33,6 @@ async def list_goals(
     "/scenarios/{scenario_id}/goals",
     response_model=GoalOut,
     status_code=201,
-    dependencies=[Depends(require_bearer)],
 )
 async def create_goal(
     scenario_id: int,
@@ -55,7 +53,6 @@ async def create_goal(
     "/goals/{goal_id}",
     status_code=204,
     response_model=None,
-    dependencies=[Depends(require_bearer)],
 )
 async def delete_goal(
     goal_id: int,