fix: support file-backed remote login secrets

[Priveetee]

Summary

• allow Server to read the remote login internal token from YOUTUBE_REMOTE_LOGIN_INTERNAL_TOKEN_FILE
• allow Server to read the YouTube Session encryption key from YOUTUBE_SESSION_ENCRYPTION_KEY_FILE
• ignore known placeholder secret values so generated file-backed secrets can take over
• keep direct environment variables as the first-priority source for existing installs

Production behavior

• existing real .env secrets keep working and are not overwritten
• compose-only stacks can mount generated secret files without cloning the repository or running scripts
• this Server change must ship with the matching Token and TypeType compose changes

Verification

• JAVA_HOME=/usr/lib/jvm/java-21-openjdk ./gradlew test
• JAVA_HOME=/usr/lib/jvm/java-21-openjdk ./gradlew shadowJar
• git diff --check
• dev branch checks passed: OpenAPI, Coverage, CI, Docker

Rollback

• rollback the Server image if file-backed secret loading regresses
• direct environment variables remain supported during rollback