fix: setup routing, async bcrypt, password hashing, clean command

- Add SetupGuard component: redirects to /setup if setup not complete,
  shown as spinner while loading. All routes except /setup now wrapped.
- SetupPage redirects to /login on mount when setup already done.
- Fix async blocking: offload bcrypt.hashpw and bcrypt.checkpw to
  run_in_executor so they never stall the asyncio event loop.
- Hash password with SHA-256 (SubtleCrypto) before transmission; added
  src/utils/crypto.ts with sha256Hex(). Backend stores bcrypt(sha256).
- Add Makefile with make up/down/restart/logs/clean targets.
- Add tests: _check_password async, concurrent bcrypt, expired session,
  login-without-setup, run_setup event-loop interleaving.
- Update Architekture.md and Features.md to reflect all changes.

frontend/src/api/auth.ts

@@ -8,15 +8,20 @@
 import { api } from "./client";
 import { ENDPOINTS } from "./endpoints";
 import type { LoginRequest, LoginResponse, LogoutResponse } from "../types/auth";
+import { sha256Hex } from "../utils/crypto";
 
 /**
  * Authenticate with the master password.
  *
+ * The password is SHA-256 hashed client-side before transmission so that
+ * the plaintext never leaves the browser.  The backend bcrypt-verifies the
+ * received hash against the stored bcrypt(sha256) digest.
+ *
  * @param password - The master password entered by the user.
  * @returns The login response containing the session token.
  */
 export async function login(password: string): Promise<LoginResponse> {
-  const body: LoginRequest = { password };
+  const body: LoginRequest = { password: await sha256Hex(password) };
   return api.post<LoginResponse>(ENDPOINTS.authLogin, body);
 }