Hash admin password — currently stored and compared as plaintext

main.py:484 compares passwords as plaintext strings from env vars via hmac.compare_digest. The ingest-by-youtube-id endpoint (line 847) also takes admin password in the POST body. Solution: store bcrypt hash in env var, use bcrypt.checkpw for comparison. For the bookmarklet endpoint, switch to token-based auth.