Fix basicauth: don't double dollar signs for docker service update

The bcrypt hash was escaping $ to $$ which is only needed in compose
files. docker service update --label-add with single-quoted values
preserves dollar signs literally, so doubling them broke Traefik auth.

Co-authored-by: Cursor <cursoragent@cursor.com>

internal/server/labels.go

@@ -161,15 +161,15 @@ func (lm *LabelManager) Remove(tunKey string) error {
 }
 
 // generateHTPasswd creates a bcrypt-hashed htpasswd entry for Traefik basicauth.
-// The output format is user:$$hash (with $ escaped for Docker label values).
+// The output format is user:$hash. Dollar signs are NOT doubled here because
+// we pass labels via docker service update with single-quoted values, which
+// preserves them literally. Doubling is only needed in compose files.
 func generateHTPasswd(user, pass string) (string, error) {
 	hash, err := bcrypt.GenerateFromPassword([]byte(pass), bcrypt.DefaultCost)
 	if err != nil {
 		return "", fmt.Errorf("bcrypt hash: %w", err)
 	}
-	// Traefik in Docker labels requires dollar signs to be doubled.
+	return fmt.Sprintf("%s:%s", user, string(hash)), nil
-	escaped := strings.ReplaceAll(string(hash), "$", "$$")
-	return fmt.Sprintf("%s:%s", user, escaped), nil
 }
 
 // labelFlag formats a --label-add value, quoting properly for shell.