Fix CPU HLS streaming (yuv420p) and opt-in middleware for fragments

- Add -pix_fmt yuv420p to multi_res_output.py libx264 path so browsers
  can decode CPU-encoded segments (was producing yuv444p / High 4:4:4).
- Switch silent auth check and coop fragment middlewares from opt-out
  blocklists to opt-in: only run for GET requests with Accept: text/html.
  Prevents unnecessary nav-tree/auth-menu HTTP calls on every HLS segment,
  IPFS proxy, and API request.
- Add opaque grant token verification to L1/L2 dependencies.
- Migrate client CLI to device authorization flow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

l1/app/__init__.py

@@ -18,8 +18,6 @@ from artdag_common.middleware.auth import get_user_from_cookie
 
 from .config import settings
 
-# Paths that should never trigger a silent auth check
-_SKIP_PREFIXES = ("/auth/", "/static/", "/api/", "/ipfs/", "/download/", "/inbox", "/health", "/internal/", "/oembed")
 _SILENT_CHECK_COOLDOWN = 300  # 5 minutes
 _DEVICE_COOKIE = "artdag_did"
 _DEVICE_COOKIE_MAX_AGE = 30 * 24 * 3600  # 30 days
@@ -60,14 +58,15 @@ def create_app() -> FastAPI:
     async def shutdown():
         await close_db()
 
-    # Silent auth check — auto-login via prompt=none OAuth
+    # Silent auth check — auto-login via prompt=none OAuth.
+    # Only runs for browser page loads (Accept: text/html).
     # NOTE: registered BEFORE device_id so device_id is outermost (runs first)
     @app.middleware("http")
     async def silent_auth_check(request: Request, call_next):
-        path = request.url.path
+        accept = request.headers.get("accept", "")
         if (
             request.method != "GET"
-            or any(path.startswith(p) for p in _SKIP_PREFIXES)
+            or "text/html" not in accept
             or request.headers.get("hx-request")  # skip HTMX
         ):
             return await call_next(request)
@@ -148,17 +147,14 @@ def create_app() -> FastAPI:
         return response
 
     # Coop fragment pre-fetch — inject nav-tree, auth-menu, cart-mini into
-    # request.state for full-page HTML renders.  Skips HTMX, API, and
-    # internal paths.  Failures are silent (fragments default to "").
-    _FRAG_SKIP = ("/auth/", "/api/", "/internal/", "/health", "/oembed",
-                   "/ipfs/", "/download/", "/inbox", "/static/")
-
+    # request.state for full-page HTML renders.  Opt-in: only fetches for
+    # browser page loads (Accept: text/html, non-HTMX GET requests).
     @app.middleware("http")
     async def coop_fragments_middleware(request: Request, call_next):
-        path = request.url.path
+        accept = request.headers.get("accept", "")
         if (
             request.method != "GET"
-            or any(path.startswith(p) for p in _FRAG_SKIP)
+            or "text/html" not in accept
             or request.headers.get("hx-request")
             or request.headers.get(fragments.FRAGMENT_HEADER)
         ):
@@ -171,7 +167,7 @@ def create_app() -> FastAPI:
 
         user = get_user_from_cookie(request)
         auth_params = {"email": user.email or user.username} if user else {}
-        nav_params = {"app_name": "artdag", "path": path}
+        nav_params = {"app_name": "artdag", "path": request.url.path}
 
         try:
             nav_tree_html, auth_menu_html, cart_mini_html = await _fetch_frags([