fix(beads-server): add Authentik auth to Dolt Workbench

- Set protected=true on ingress (Authentik forward-auth)
- Remove unused DATABASE_URL env var (Workbench uses browser-based connection config)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

stacks/beads-server/main.tf

@@ -214,11 +214,6 @@ resource "kubernetes_deployment" "workbench" {
             container_port = 9002
           }
 
-          env {
-            name  = "DATABASE_URL"
-            value = "mysql://beads@dolt.beads-server.svc.cluster.local:3306/code"
-          }
-
           startup_probe {
             http_get {
               path = "/"
@@ -295,6 +290,7 @@ module "ingress" {
   namespace       = kubernetes_namespace.beads.metadata[0].name
   name            = "dolt-workbench"
   tls_secret_name = var.tls_secret_name
+  protected       = true
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Dolt Workbench"