Allow anonymous public asset downloads and adopt OSM Liberty style for MapLibre demo.

Public asset links now work without bearer auth while private assets remain protected, and the demo ships with the local osm-liberty-gl-style assets for consistent tile rendering.

Made-with: Cursor

internal/http/api_test.go

@@ -326,7 +326,6 @@ func TestAssetLifecycleAndVisibility(t *testing.T) {
 	user2Pub, user2Priv, _ := ed25519.GenerateKey(rand.Reader)
 	user2PubB64 := base64.RawURLEncoding.EncodeToString(user2Pub)
 	registerUserViaAdmin(t, client, server.URL, adminPubB64, adminPriv, adminToken, user2PubB64, user2Priv, "invite-asset-u2")
-	user2Token := loginUser(t, client, server.URL, user2PubB64, user2Priv)
 
 	createCollectionResp, createCollectionData := postJSON(t, client, server.URL+"/v1/collections", map[string]string{
 		"name": "assets",
@@ -415,7 +414,6 @@ func TestAssetLifecycleAndVisibility(t *testing.T) {
 	}
 
 	reqDownloadPublic, _ := http.NewRequest(http.MethodGet, server.URL+"/v1/assets/"+assetID+"/download", nil)
-	reqDownloadPublic.Header.Set("Authorization", "Bearer "+user2Token)
 	downloadPublicResp, err := client.Do(reqDownloadPublic)
 	if err != nil {
 		t.Fatalf("download public request failed: %v", err)
@@ -436,7 +434,6 @@ func TestAssetLifecycleAndVisibility(t *testing.T) {
 	}
 
 	reqDownloadPrivate, _ := http.NewRequest(http.MethodGet, server.URL+"/v1/assets/"+assetID+"/download", nil)
-	reqDownloadPrivate.Header.Set("Authorization", "Bearer "+user2Token)
 	downloadPrivateResp, err := client.Do(reqDownloadPrivate)
 	if err != nil {
 		t.Fatalf("download private request failed: %v", err)