fix: allow unresolved page access during setup flow

- Remove premature auth redirect in unresolved.html fetchUnresolved()
- Add /api/setup/ to middleware exempt paths
- Unresolved page now loads without auth token (part of setup flow)
- Only redirect to login on 401 (expired token) or when all folders resolved

src/server/middleware/setup_redirect.py

@@ -37,6 +37,7 @@ class SetupRedirectMiddleware(BaseHTTPMiddleware):
         "/login",  # Login page (needs to be accessible after setup)
         "/queue",  # Queue page (for initial load)
         "/api/auth/",  # All auth endpoints (setup, login, logout, register)
+        "/api/setup/",  # Setup API (unresolved folders, etc.)
         "/ws/connect",  # WebSocket connection (needed for loading page)
         "/api/queue/",  # Queue API endpoints
         "/api/downloads/",  # Download API endpoints

src/server/web/templates/unresolved.html

@@ -443,15 +443,13 @@
 
         // API client helpers
         async function fetchUnresolved() {
+            // Note: /api/setup/unresolved does not require auth
+            // It's accessible during the initial setup flow
             const token = localStorage.getItem('auth_token');
-            if (!token) {
+            const headers = token ? { 'Authorization': `Bearer ${token}` } : {};
-                window.location.href = '/login';
+            const res = await fetch('/api/setup/unresolved', { headers });
-                return null;
-            }
-            const res = await fetch('/api/setup/unresolved', {
-                headers: { 'Authorization': `Bearer ${token}` }
-            });
             if (res.status === 401) {
+                // Redirect to login only if we had a token but it expired
                 localStorage.removeItem('auth_token');
                 window.location.href = '/login';
                 return null;