fix: setup routing, async bcrypt, password hashing, clean command

- Add SetupGuard component: redirects to /setup if setup not complete,
  shown as spinner while loading. All routes except /setup now wrapped.
- SetupPage redirects to /login on mount when setup already done.
- Fix async blocking: offload bcrypt.hashpw and bcrypt.checkpw to
  run_in_executor so they never stall the asyncio event loop.
- Hash password with SHA-256 (SubtleCrypto) before transmission; added
  src/utils/crypto.ts with sha256Hex(). Backend stores bcrypt(sha256).
- Add Makefile with make up/down/restart/logs/clean targets.
- Add tests: _check_password async, concurrent bcrypt, expired session,
  login-without-setup, run_setup event-loop interleaving.
- Update Architekture.md and Features.md to reflect all changes.

Docs/Architekture.md

@@ -285,6 +285,8 @@ frontend/
 │   │   ├── WorldMap.tsx       #   Country-outline map with ban counts
 │   │   ├── ImportLogTable.tsx #   Blocklist import run history
 │   │   ├── ConfirmDialog.tsx  #   Reusable confirmation modal
+│   │   ├── RequireAuth.tsx    #   Route guard: redirects unauthenticated users to /login
+│   │   ├── SetupGuard.tsx     #   Route guard: redirects to /setup if setup incomplete
 │   │   └── ...                #   (additional shared components)
 │   ├── hooks/                 # Custom React hooks (stateful logic + API calls)
 │   │   ├── useAuth.ts         #   Login state, login/logout actions
@@ -325,6 +327,7 @@ frontend/
 │   ├── utils/                 # Pure helper functions
 │   │   ├── formatDate.ts      #   Date/time formatting with timezone support
 │   │   ├── formatIp.ts        #   IP display formatting
+│   │   ├── crypto.ts          #   Browser-native SHA-256 helper (SubtleCrypto)
 │   │   └── constants.ts       #   Frontend constants (time presets, etc.)
 │   ├── App.tsx                # Root: FluentProvider + BrowserRouter + routes
 │   ├── main.tsx               # Vite entry point
@@ -366,6 +369,8 @@ Reusable UI building blocks. Components receive data via props, emit changes via
 | `RegexTester` | Side-by-side sample log + regex input with live match highlighting |
 | `ImportLogTable` | Table displaying blocklist import history |
 | `ConfirmDialog` | Reusable Fluent UI Dialog for destructive action confirmations |
+| `RequireAuth` | Route guard: renders children only when authenticated; otherwise redirects to `/login?next=<path>` |
+| `SetupGuard` | Route guard: checks `GET /api/setup` on mount and redirects to `/setup` if not complete; shows a spinner while loading |
 
 #### Hooks (`src/hooks/`)
 
@@ -410,7 +415,8 @@ React context providers for application-wide concerns.
 
 | Provider | Purpose |
 |---|---|
-| `AuthProvider` | Holds authentication state, wraps protected routes, redirects unauthenticated users to `/login` |
+| `AuthProvider` | Holds authentication state; exposes `isAuthenticated`, `login()`, and `logout()` via `useAuth()` |
+| `TimezoneProvider` | Reads the configured IANA timezone from the backend and supplies it to all children via `useTimezone()` |
 | `ThemeProvider` | Manages light/dark theme selection, supplies the active Fluent UI theme to `FluentProvider` |
 
 #### Theme (`src/theme/`)
@@ -419,7 +425,14 @@ Fluent UI custom theme definitions and design token constants. No component logi
 
 #### Utils (`src/utils/`)
 
-Pure helper functions with no React or framework dependency. Date formatting, IP display formatting, shared constants.
+Pure helper functions with no React or framework dependency. Date formatting, IP display formatting, shared constants, and cryptographic utilities.
+
+| Utility | Purpose |
+|---|---|
+| `formatDate.ts` | Date/time formatting with IANA timezone support |
+| `formatIp.ts` | IP address display formatting |
+| `crypto.ts` | `sha256Hex(input)` — SHA-256 digest via browser-native `SubtleCrypto` API; used to hash passwords before transmission |
+| `constants.ts` | Frontend constants (time presets, etc.) |
 
 ---