Remove client-side SHA-256 pre-hashing from setup and login

The sha256Hex helper used window.crypto.subtle.digest(), which is only
available in a secure context (HTTPS / localhost). In the HTTP Docker
environment crypto.subtle is undefined, causing a TypeError before any
request is sent — the setup and login forms both silently failed with
'An unexpected error occurred'.

Fix: pass raw passwords directly to the API. The backend already applies
bcrypt, which is sufficient. No stored hashes need migration because
setup never completed successfully in the HTTP environment.

* frontend/src/pages/SetupPage.tsx  — remove sha256Hex call
* frontend/src/api/auth.ts          — remove sha256Hex call
* frontend/src/pages/__tests__/SetupPage.test.tsx — drop crypto mock
* frontend/src/utils/crypto.ts      — deleted (no remaining callers)

frontend/src/api/auth.ts

@@ -7,22 +7,16 @@
 
 import { api } from "./client";
 import { ENDPOINTS } from "./endpoints";
-import type { LoginRequest, LoginResponse, LogoutResponse } from "../types/auth";
-import { sha256Hex } from "../utils/crypto";
+import type { LoginResponse, LogoutResponse } from "../types/auth";
 
 /**
  * Authenticate with the master password.
  *
- * The password is SHA-256 hashed client-side before transmission so that
- * the plaintext never leaves the browser.  The backend bcrypt-verifies the
- * received hash against the stored bcrypt(sha256) digest.
- *
  * @param password - The master password entered by the user.
  * @returns The login response containing the session token.
  */
 export async function login(password: string): Promise<LoginResponse> {
-  const body: LoginRequest = { password: await sha256Hex(password) };
-  return api.post<LoginResponse>(ENDPOINTS.authLogin, body);
+  return api.post<LoginResponse>(ENDPOINTS.authLogin, { password });
 }
 
 /**