fix: allow unresolved page access during setup flow

- Remove premature auth redirect in unresolved.html fetchUnresolved()
- Add /api/setup/ to middleware exempt paths
- Unresolved page now loads without auth token (part of setup flow)
- Only redirect to login on 401 (expired token) or when all folders resolved

src/server/web/templates/unresolved.html

@@ -443,15 +443,13 @@
 
         // API client helpers
         async function fetchUnresolved() {
+            // Note: /api/setup/unresolved does not require auth
+            // It's accessible during the initial setup flow
             const token = localStorage.getItem('auth_token');
-            if (!token) {
-                window.location.href = '/login';
-                return null;
-            }
-            const res = await fetch('/api/setup/unresolved', {
-                headers: { 'Authorization': `Bearer ${token}` }
-            });
+            const headers = token ? { 'Authorization': `Bearer ${token}` } : {};
+            const res = await fetch('/api/setup/unresolved', { headers });
             if (res.status === 401) {
+                // Redirect to login only if we had a token but it expired
                 localStorage.removeItem('auth_token');
                 window.location.href = '/login';
                 return null;