feat(swagger): mount Swagger UI at /api/swagger

- Import swagger-ui-express, swagger-jsdoc, yamljs in app.js and index.js
- Load server/openapi.yaml as base spec
- Configure swagger-jsdoc to merge JSDoc comments from route files
- Mount Swagger UI at /api/swagger (publicly accessible)
- Add authentication banner explaining cookie + CSRF flow
- Ensure spec loads from both createApp (tests) and index.js (production)

public/swagger-auth-banner.js

@@ -0,0 +1,34 @@
+// Swagger UI authentication banner
+// This banner explains the cookie + CSRF authentication flow
+(function() {
+  window.addEventListener('load', function() {
+    const banner = document.createElement('div');
+    banner.style.cssText = `
+      background: #fff3cd;
+      border: 1px solid #ffc107;
+      border-radius: 4px;
+      padding: 12px 16px;
+      margin: 16px;
+      font-family: sans-serif;
+      font-size: 14px;
+      line-height: 1.5;
+      color: #856404;
+    `;
+    banner.innerHTML = `
+      <strong>Authentication Required for Most Endpoints</strong><br>
+      sofarr uses cookie-based authentication with Emby/Jellyfin. To test authenticated endpoints:<br>
+      1. Call <code>POST /api/auth/login</code> with your username and password<br>
+      2. The server sets an <code>emby_user</code> cookie and <code>csrf_token</code> cookie<br>
+      3. Include these cookies in subsequent requests<br>
+      4. For state-changing operations (POST/PUT/PATCH/DELETE), also send the <code>X-CSRF-Token</code> header<br>
+      <br>
+      <em>Note: The Swagger UI "Authorize" button is not used. Authentication is handled via cookies.</em>
+    `;
+    
+    // Insert after the topbar (which we hide with CSS) or at the top of the info section
+    const info = document.querySelector('.info');
+    if (info) {
+      info.insertBefore(banner, info.firstChild);
+    }
+  });
+})();