TASK-031: Enforce bcrypt 72-byte password limit

Bcrypt silently truncates passwords at 72 bytes, so passwords longer than 72
characters provide no additional security. This commit enforces the 72-byte
maximum across the authentication and setup flows.

Changes:
- Add max_length=72 to LoginRequest.password and SetupRequest.master_password
- Update field validator in SetupRequest to explicitly check max_length
- Add comprehensive tests for password length validation (6 new test cases)
- Document the 72-byte limitation in Features.md (master password options)
- Add new section 12 'Password Hashing' in Backend-Development.md explaining:
  - The bcrypt truncation behavior
  - Why the limit is enforced
  - The validation flow from frontend to backend
  - What happens when passwords exceed the limit

All existing tests pass, no regressions introduced.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Docs/Features.md

@@ -14,7 +14,7 @@ A web application to monitor, manage, and configure fail2ban from a clean, acces
 
 ### Options
 
-- **Master Password** — Set a single global password that protects the entire web interface.
+- **Master Password** — Set a single global password that protects the entire web interface. Must be between 8 and 72 characters long (72-byte limit is due to bcrypt truncation) and include one uppercase letter, one number, and one special character from `!@#$%^&*()`.
 - **Database Path** — Define where the application stores its own SQLite database.
 - **fail2ban Connection** — Specify how the application connects to the running fail2ban instance (socket path or related settings).
 - **General Preferences** — Any additional application-level settings such as default time zone, date format, or session duration.