TASK-031: Enforce bcrypt 72-byte password limit

Bcrypt silently truncates passwords at 72 bytes, so passwords longer than 72
characters provide no additional security. This commit enforces the 72-byte
maximum across the authentication and setup flows.

Changes:
- Add max_length=72 to LoginRequest.password and SetupRequest.master_password
- Update field validator in SetupRequest to explicitly check max_length
- Add comprehensive tests for password length validation (6 new test cases)
- Document the 72-byte limitation in Features.md (master password options)
- Add new section 12 'Password Hashing' in Backend-Development.md explaining:
  - The bcrypt truncation behavior
  - Why the limit is enforced
  - The validation flow from frontend to backend
  - What happens when passwords exceed the limit

All existing tests pass, no regressions introduced.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

backend/app/models/auth.py

@@ -11,7 +11,11 @@ class LoginRequest(BaseModel):
 
     model_config = ConfigDict(strict=True)
 
-    password: str = Field(..., description="Master password to authenticate with.")
+    password: str = Field(
+        ...,
+        max_length=72,
+        description="Master password to authenticate with (max 72 bytes due to bcrypt truncation).",
+    )
 
 
 class LoginResponse(BaseModel):