feat: Stage 2 — authentication and setup flow

Backend (tasks 2.1–2.6, 2.10):
- settings_repo: get/set/delete/get_all CRUD for the key-value settings table
- session_repo: create/get/delete/delete_expired for session rows
- setup_service: bcrypt password hashing, one-time-only enforcement,
  run_setup() / is_setup_complete() / get_password_hash()
- auth_service: login() with bcrypt verify + token creation,
  validate_session() with expiry check, logout()
- setup router: GET /api/setup (status), POST /api/setup (201 / 409)
- auth router: POST /api/auth/login (token + HttpOnly cookie),
               POST /api/auth/logout (clears cookie, idempotent)
- SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done
- require_auth dependency: cookie or Bearer token → Session or 401
- conftest.py: manually bootstraps app.state.db for router tests
  (ASGITransport does not trigger ASGI lifespan)
- 85 tests pass; ruff 0 errors; mypy --strict 0 errors

Frontend (tasks 2.7–2.9):
- types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts
- AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout)
- RequireAuth: guard component → /login?next=<path> when unauthenticated
- SetupPage: Fluent UI form, client-side validation, inline errors
- LoginPage: single password input, ?next= redirect after success
- DashboardPage: placeholder (full impl Stage 5)
- App.tsx: full route tree (/setup, /login, /, *)

backend/app/dependencies.py

@@ -13,9 +13,12 @@ import structlog
 from fastapi import Depends, HTTPException, Request, status
 
 from app.config import Settings
+from app.models.auth import Session
 
 log: structlog.stdlib.BoundLogger = structlog.get_logger()
 
+_COOKIE_NAME = "bangui_session"
+
 
 async def get_db(request: Request) -> aiosqlite.Connection:
     """Provide the shared :class:`aiosqlite.Connection` from ``app.state``.
@@ -51,6 +54,51 @@ async def get_settings(request: Request) -> Settings:
     return request.app.state.settings  # type: ignore[no-any-return]
 
 
+async def require_auth(
+    request: Request,
+    db: Annotated[aiosqlite.Connection, Depends(get_db)],
+) -> Session:
+    """Validate the session token and return the active session.
+
+    The token is read from the ``bangui_session`` cookie or the
+    ``Authorization: Bearer`` header.
+
+    Args:
+        request: The incoming FastAPI request.
+        db: Injected aiosqlite connection.
+
+    Returns:
+        The active :class:`~app.models.auth.Session`.
+
+    Raises:
+        HTTPException: 401 if no valid session token is found.
+    """
+    from app.services import auth_service  # noqa: PLC0415
+
+    token: str | None = request.cookies.get(_COOKIE_NAME)
+    if not token:
+        auth_header: str = request.headers.get("Authorization", "")
+        if auth_header.startswith("Bearer "):
+            token = auth_header[len("Bearer "):]
+
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication required.",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    try:
+        return await auth_service.validate_session(db, token)
+    except ValueError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(exc),
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from exc
+
+
 # Convenience type aliases for route signatures.
 DbDep = Annotated[aiosqlite.Connection, Depends(get_db)]
 SettingsDep = Annotated[Settings, Depends(get_settings)]
+AuthDep = Annotated[Session, Depends(require_auth)]