infra/ingress_factory: add auth = "app" mode for self-authed backends

Adds a fourth auth tier alongside required/public/none. "app" is
functionally identical to "none" — no Authentik middleware attached —
but the distinct name records intent at the call site: this backend
has its own user login (NextAuth, Django, OAuth, bearer-token API,
etc.) and Authentik would only break it.

Why the new tier: with only required/none, every "the app has its
own auth so drop Authentik" decision looked identical at the call
site to "this is an OAuth callback / webhook receiver / native-client
API". Future readers couldn't tell whether a stack was intentionally
unauthenticated or relying on backend auth. Now they can.

Migrates the 8 stacks flipped earlier this session (novelapp, immich,
linkwarden, tandoor, freshrss, affine, actualbudget, ebooks/audiobookshelf)
from "none" to "app". Confirmed no-op: `tg plan` on novelapp showed
"No changes" — same middleware chain, same live state.

The variable description and the .claude/CLAUDE.md Auth section now
spell out the anti-exposure rule: only pick "app" or "none" AFTER
verifying the app has its own user auth ("app") or the endpoint is
intentionally public ("none"). Default stays "required" so accidental
omission fails closed.

[ci skip]

stacks/ebooks/main.tf

@@ -662,10 +662,10 @@ resource "kubernetes_service" "audiobookshelf" {
 
 module "audiobookshelf_ingress" {
   source = "../../modules/kubernetes/ingress_factory"
-  # auth = "none": Audiobookshelf has its own user/password login + API
+  # auth = "app": Audiobookshelf has its own user/password login + API
   # tokens used by the iOS/Android Audiobookshelf app. Authentik forward-auth
   # was 302-ing the mobile clients; ABS's own auth gates users.
-  auth            = "none"
+  auth            = "app"
   dns_type        = "non-proxied"
   namespace       = kubernetes_namespace.ebooks.metadata[0].name
   name            = "audiobookshelf"