fix: setup routing, async bcrypt, password hashing, clean command

- Add SetupGuard component: redirects to /setup if setup not complete,
  shown as spinner while loading. All routes except /setup now wrapped.
- SetupPage redirects to /login on mount when setup already done.
- Fix async blocking: offload bcrypt.hashpw and bcrypt.checkpw to
  run_in_executor so they never stall the asyncio event loop.
- Hash password with SHA-256 (SubtleCrypto) before transmission; added
  src/utils/crypto.ts with sha256Hex(). Backend stores bcrypt(sha256).
- Add Makefile with make up/down/restart/logs/clean targets.
- Add tests: _check_password async, concurrent bcrypt, expired session,
  login-without-setup, run_setup event-loop interleaving.
- Update Architekture.md and Features.md to reflect all changes.

Docs/Features.md

@@ -8,7 +8,9 @@ A web application to monitor, manage, and configure fail2ban from a clean, acces
 
 - Displayed automatically on first launch when no configuration exists.
 - As long as no configuration is saved, every route redirects to the setup page.
-- Once setup is complete and a configuration is saved, the setup page is never shown again and cannot be accessed.
+- Once setup is complete and a configuration is saved, the setup page redirects to the login page and cannot be used again.
+- The `SetupGuard` component checks the setup status on every protected route; if setup is not complete it redirects the user to `/setup`.
+- **Security:** The master password is SHA-256 hashed in the browser using the native `SubtleCrypto` API before it is transmitted. The backend then bcrypt-hashes the received hash with an auto-generated salt. The plaintext password never leaves the browser and is never stored.
 
 ### Options