Fix auth: guest role instead of admin when JWT_SECRET unset

backend/api/auth.py

@@ -74,9 +74,9 @@ async def require_auth(
 
     When JWT_SECRET is not set, auth is bypassed (returns guest user).
     """
-    # Auth disabled — allow all
+    # Auth disabled — allow all as read-only guest
     if not JWT_SECRET:
-        return {"sub": "guest", "role": "admin"}
+        return {"sub": "guest", "role": "guest"}
 
     if not credentials:
         raise HTTPException(
@@ -87,7 +87,7 @@ async def require_auth(
 
     jwt = _get_jwt()
     if not jwt:
-        return {"sub": "guest", "role": "admin"}
+        return {"sub": "guest", "role": "guest"}
 
     try:
         payload = jwt.decode(