feat: Stage 2 — authentication and setup flow

Backend (tasks 2.1–2.6, 2.10):
- settings_repo: get/set/delete/get_all CRUD for the key-value settings table
- session_repo: create/get/delete/delete_expired for session rows
- setup_service: bcrypt password hashing, one-time-only enforcement,
  run_setup() / is_setup_complete() / get_password_hash()
- auth_service: login() with bcrypt verify + token creation,
  validate_session() with expiry check, logout()
- setup router: GET /api/setup (status), POST /api/setup (201 / 409)
- auth router: POST /api/auth/login (token + HttpOnly cookie),
               POST /api/auth/logout (clears cookie, idempotent)
- SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done
- require_auth dependency: cookie or Bearer token → Session or 401
- conftest.py: manually bootstraps app.state.db for router tests
  (ASGITransport does not trigger ASGI lifespan)
- 85 tests pass; ruff 0 errors; mypy --strict 0 errors

Frontend (tasks 2.7–2.9):
- types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts
- AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout)
- RequireAuth: guard component → /login?next=<path> when unauthenticated
- SetupPage: Fluent UI form, client-side validation, inline errors
- LoginPage: single password input, ?next= redirect after success
- DashboardPage: placeholder (full impl Stage 5)
- App.tsx: full route tree (/setup, /login, /, *)

backend/app/main.py

@@ -18,19 +18,22 @@ from pathlib import Path
 from typing import TYPE_CHECKING
 
 if TYPE_CHECKING:
-    from collections.abc import AsyncGenerator
+    from collections.abc import AsyncGenerator, Awaitable, Callable
+
+    from starlette.responses import Response as StarletteResponse
 
 import aiohttp
 import aiosqlite
 import structlog
 from apscheduler.schedulers.asyncio import AsyncIOScheduler  # type: ignore[import-untyped]
-from fastapi import FastAPI, Request
+from fastapi import FastAPI, Request, status
 from fastapi.middleware.cors import CORSMiddleware
-from fastapi.responses import JSONResponse
+from fastapi.responses import JSONResponse, RedirectResponse
+from starlette.middleware.base import BaseHTTPMiddleware
 
 from app.config import Settings, get_settings
 from app.db import init_db
-from app.routers import health
+from app.routers import auth, health, setup
 
 # ---------------------------------------------------------------------------
 # Ensure the bundled fail2ban package is importable from fail2ban-master/
@@ -156,6 +159,60 @@ async def _unhandled_exception_handler(
     )
 
 
+# ---------------------------------------------------------------------------
+# Setup-redirect middleware
+# ---------------------------------------------------------------------------
+
+# Paths that are always reachable, even before setup is complete.
+_ALWAYS_ALLOWED: frozenset[str] = frozenset(
+    {"/api/setup", "/api/health"},
+)
+
+
+class SetupRedirectMiddleware(BaseHTTPMiddleware):
+    """Redirect all API requests to ``/api/setup`` until setup is done.
+
+    Once setup is complete this middleware is a no-op.  Paths listed in
+    :data:`_ALWAYS_ALLOWED` are exempt so the setup endpoint itself is
+    always reachable.
+    """
+
+    async def dispatch(
+        self,
+        request: Request,
+        call_next: Callable[[Request], Awaitable[StarletteResponse]],
+    ) -> StarletteResponse:
+        """Intercept requests before they reach the router.
+
+        Args:
+            request: The incoming HTTP request.
+            call_next: The next middleware / router handler.
+
+        Returns:
+            Either a ``307 Temporary Redirect`` to ``/api/setup`` or the
+            normal router response.
+        """
+        path: str = request.url.path.rstrip("/") or "/"
+
+        # Allow requests that don't need setup guard.
+        if any(path.startswith(allowed) for allowed in _ALWAYS_ALLOWED):
+            return await call_next(request)
+
+        # If setup is not complete, block all other API requests.
+        if path.startswith("/api"):
+            db: aiosqlite.Connection | None = getattr(request.app.state, "db", None)
+            if db is not None:
+                from app.services import setup_service  # noqa: PLC0415
+
+                if not await setup_service.is_setup_complete(db):
+                    return RedirectResponse(
+                        url="/api/setup",
+                        status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+                    )
+
+        return await call_next(request)
+
+
 # ---------------------------------------------------------------------------
 # Application factory
 # ---------------------------------------------------------------------------
@@ -199,10 +256,17 @@ def create_app(settings: Settings | None = None) -> FastAPI:
         allow_headers=["*"],
     )
 
+    # --- Middleware ---
+    # Note: middleware is applied in reverse order of registration.
+    # The setup-redirect must run *after* CORS, so it is added last.
+    app.add_middleware(SetupRedirectMiddleware)
+
     # --- Exception handlers ---
     app.add_exception_handler(Exception, _unhandled_exception_handler)
 
     # --- Routers ---
     app.include_router(health.router)
+    app.include_router(setup.router)
+    app.include_router(auth.router)
 
     return app