fix(server,agent): apply Tasks 3-5 review fixes (non-blocking)

From the secure-session-core Tasks 3-5 code review (APPROVE-WITH-FIXES):
- MEDIUM-2: delete the dead `validate_agent_key` "accept-any-key" placeholder +
  its AuthenticatedAgent/AuthState scaffolding (zero callers; the real agent
  auth is validate_agent_api_key + per-agent cak_ keys). Removes an auth landmine.
- LOW-3: stop interpolating support-code values into 3 relay log lines (bearer
  credentials).
- LOW-1: document the X-Real-IP trust requirement in ip_extract.rs (NPM must set
  it from $remote_addr); behavior unchanged.
- LOW-2: correct the consent/heartbeat comment in agent session loop (the loop
  awaits the dialog; safe because CONSENT_TIMEOUT 60s < HEARTBEAT_TIMEOUT 90s).
cargo fmt/clippy(-D warnings)/test all green on GURU-5070 (89 tests, 0 warnings).
MEDIUM-1 (viewer-token logout revocation) remains a tracked follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

server/src/main.rs

@@ -443,7 +443,10 @@ async fn main() -> Result<()> {
         // fallback below — CLAUDE.md documents this as the public download URL.
         // `nest_service` is matched BEFORE `fallback_service`, so these binaries
         // are served from disk and never fall through to the SPA index.html.
-        .nest_service("/downloads", ServeDir::new(format!("{STATIC_DIR}/downloads")))
+        .nest_service(
+            "/downloads",
+            ServeDir::new(format!("{STATIC_DIR}/downloads")),
+        )
         // NOTE: there are intentionally no /login, /dashboard, /users routes.
         // The v2 SPA (BrowserRouter) owns those paths and resolves them via the
         // fallback_service below; registering server-side handlers for them would
@@ -909,4 +912,3 @@ async fn trigger_machine_update(
         ))
     }
 }
-