feat: Stage 2 — authentication and setup flow

Backend (tasks 2.1–2.6, 2.10):
- settings_repo: get/set/delete/get_all CRUD for the key-value settings table
- session_repo: create/get/delete/delete_expired for session rows
- setup_service: bcrypt password hashing, one-time-only enforcement,
  run_setup() / is_setup_complete() / get_password_hash()
- auth_service: login() with bcrypt verify + token creation,
  validate_session() with expiry check, logout()
- setup router: GET /api/setup (status), POST /api/setup (201 / 409)
- auth router: POST /api/auth/login (token + HttpOnly cookie),
               POST /api/auth/logout (clears cookie, idempotent)
- SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done
- require_auth dependency: cookie or Bearer token → Session or 401
- conftest.py: manually bootstraps app.state.db for router tests
  (ASGITransport does not trigger ASGI lifespan)
- 85 tests pass; ruff 0 errors; mypy --strict 0 errors

Frontend (tasks 2.7–2.9):
- types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts
- AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout)
- RequireAuth: guard component → /login?next=<path> when unauthenticated
- SetupPage: Fluent UI form, client-side validation, inline errors
- LoginPage: single password input, ?next= redirect after success
- DashboardPage: placeholder (full impl Stage 5)
- App.tsx: full route tree (/setup, /login, /, *)

backend/app/repositories/settings_repo.py

@@ -0,0 +1,71 @@
+"""Settings repository.
+
+Provides CRUD operations for the ``settings`` key-value table in the
+application SQLite database.  All methods are plain async functions that
+accept a :class:`aiosqlite.Connection` — no ORM, no HTTP exceptions.
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    import aiosqlite
+
+
+async def get_setting(db: aiosqlite.Connection, key: str) -> str | None:
+    """Return the value for *key*, or ``None`` if it does not exist.
+
+    Args:
+        db: Active aiosqlite connection.
+        key: The setting key to look up.
+
+    Returns:
+        The stored value string, or ``None`` if the key is absent.
+    """
+    async with db.execute(
+        "SELECT value FROM settings WHERE key = ?",
+        (key,),
+    ) as cursor:
+        row = await cursor.fetchone()
+        return str(row[0]) if row is not None else None
+
+
+async def set_setting(db: aiosqlite.Connection, key: str, value: str) -> None:
+    """Insert or replace the setting identified by *key*.
+
+    Args:
+        db: Active aiosqlite connection.
+        key: The setting key.
+        value: The value to store.
+    """
+    await db.execute(
+        "INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)",
+        (key, value),
+    )
+    await db.commit()
+
+
+async def delete_setting(db: aiosqlite.Connection, key: str) -> None:
+    """Delete the setting identified by *key* if it exists.
+
+    Args:
+        db: Active aiosqlite connection.
+        key: The setting key to remove.
+    """
+    await db.execute("DELETE FROM settings WHERE key = ?", (key,))
+    await db.commit()
+
+
+async def get_all_settings(db: aiosqlite.Connection) -> dict[str, str]:
+    """Return all settings as a plain ``dict``.
+
+    Args:
+        db: Active aiosqlite connection.
+
+    Returns:
+        A dictionary mapping every stored key to its value.
+    """
+    async with db.execute("SELECT key, value FROM settings") as cursor:
+        rows = await cursor.fetchall()
+        return {str(row[0]): str(row[1]) for row in rows}