Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
A Clauster instance bound to a non-loopback address (e.g. 0.0.0.0 or a LAN IP) can serve the entire dashboard and its API without any authentication — even when the operator has configured a password — if auth.enabled is left at its default (false). The operator believes the instance is password-protected; in reality every request is served unauthenticated.