fix: setup routing, async bcrypt, password hashing, clean command

- Add SetupGuard component: redirects to /setup if setup not complete,
  shown as spinner while loading. All routes except /setup now wrapped.
- SetupPage redirects to /login on mount when setup already done.
- Fix async blocking: offload bcrypt.hashpw and bcrypt.checkpw to
  run_in_executor so they never stall the asyncio event loop.
- Hash password with SHA-256 (SubtleCrypto) before transmission; added
  src/utils/crypto.ts with sha256Hex(). Backend stores bcrypt(sha256).
- Add Makefile with make up/down/restart/logs/clean targets.
- Add tests: _check_password async, concurrent bcrypt, expired session,
  login-without-setup, run_setup event-loop interleaving.
- Update Architekture.md and Features.md to reflect all changes.

backend/app/services/auth_service.py

@@ -7,6 +7,7 @@ survive server restarts.
 
 from __future__ import annotations
 
+import asyncio
 import secrets
 from typing import TYPE_CHECKING
 
@@ -25,9 +26,12 @@ from app.utils.time_utils import add_minutes, utc_now
 log: structlog.stdlib.BoundLogger = structlog.get_logger()
 
 
-def _check_password(plain: str, hashed: str) -> bool:
+async def _check_password(plain: str, hashed: str) -> bool:
     """Return ``True`` if *plain* matches the bcrypt *hashed* password.
 
+    Runs in a thread executor so the blocking bcrypt operation does not stall
+    the asyncio event loop.
+
     Args:
         plain: The plain-text password to verify.
         hashed: The stored bcrypt hash string.
@@ -35,7 +39,12 @@ def _check_password(plain: str, hashed: str) -> bool:
     Returns:
         ``True`` on a successful match, ``False`` otherwise.
     """
-    return bool(bcrypt.checkpw(plain.encode(), hashed.encode()))
+    plain_bytes = plain.encode()
+    hashed_bytes = hashed.encode()
+    loop = asyncio.get_running_loop()
+    return await loop.run_in_executor(
+        None, lambda: bool(bcrypt.checkpw(plain_bytes, hashed_bytes))
+    )
 
 
 async def login(
@@ -61,7 +70,7 @@ async def login(
         log.warning("bangui_login_no_hash")
         raise ValueError("No password is configured — run setup first.")
 
-    if not _check_password(password, stored_hash):
+    if not await _check_password(password, stored_hash):
         log.warning("bangui_login_wrong_password")
         raise ValueError("Incorrect password.")
 

backend/app/services/setup_service.py

@@ -7,6 +7,7 @@ enforcing the rule that setup can only run once.
 
 from __future__ import annotations
 
+import asyncio
 from typing import TYPE_CHECKING
 
 import bcrypt
@@ -72,8 +73,13 @@ async def run_setup(
     log.info("bangui_setup_started")
 
     # Hash the master password — bcrypt automatically generates a salt.
+    # Run in a thread executor so the blocking bcrypt operation does not stall
+    # the asyncio event loop.
     password_bytes = master_password.encode()
-    hashed = bcrypt.hashpw(password_bytes, bcrypt.gensalt()).decode()
+    loop = asyncio.get_running_loop()
+    hashed: str = await loop.run_in_executor(
+        None, lambda: bcrypt.hashpw(password_bytes, bcrypt.gensalt()).decode()
+    )
 
     await settings_repo.set_setting(db, _KEY_PASSWORD_HASH, hashed)
     await settings_repo.set_setting(db, _KEY_DATABASE_PATH, database_path)