Reduce per-request DB overhead (Task 4)

- Cache setup_completed flag in app.state._setup_complete_cached after
  first successful is_setup_complete() call; all subsequent API requests
  skip the DB query entirely (one-way transition, cleared on restart).
- Add in-memory session token TTL cache (10 s) in require_auth; the second
  request with the same token within the window skips session_repo.get_session.
- Call invalidate_session_cache() on logout so revoked tokens are evicted
  immediately rather than waiting for TTL expiry.
- Add clear_session_cache() for test isolation.
- 5 new tests covering the cached fast-path for both optimisations.
- 460 tests pass, 83% coverage, zero ruff/mypy warnings.

backend/tests/test_routers/test_auth.py

@@ -2,6 +2,9 @@
 
 from __future__ import annotations
 
+from unittest.mock import patch
+
+import pytest
 from httpx import AsyncClient
 
 # ---------------------------------------------------------------------------
@@ -143,5 +146,107 @@ class TestRequireAuth:
         self, client: AsyncClient
     ) -> None:
         """Health endpoint is accessible without authentication."""
+
+
+# ---------------------------------------------------------------------------
+# Session-token cache (Task 4)
+# ---------------------------------------------------------------------------
+
+
+class TestRequireAuthSessionCache:
+    """In-memory session token cache inside ``require_auth``."""
+
+    @pytest.fixture(autouse=True)
+    def reset_cache(self) -> None:  # type: ignore[misc]
+        """Flush the session cache before and after every test in this class."""
+        from app import dependencies
+
+        dependencies.clear_session_cache()
+        yield  # type: ignore[misc]
+        dependencies.clear_session_cache()
+
+    async def test_second_request_skips_db(self, client: AsyncClient) -> None:
+        """Second authenticated request within TTL skips the session DB query.
+
+        The first request populates the in-memory cache via ``require_auth``.
+        The second request — using the same token before the TTL expires —
+        must return ``session_repo.get_session`` *without* calling it.
+        """
+        from app.repositories import session_repo
+
+        await _do_setup(client)
+        token = await _login(client)
+
+        # Ensure cache is empty so the first request definitely hits the DB.
+        from app import dependencies
+
+        dependencies.clear_session_cache()
+
+        call_count = 0
+        original_get_session = session_repo.get_session
+
+        async def _tracking(db, tok):  # type: ignore[no-untyped-def]
+            nonlocal call_count
+            call_count += 1
+            return await original_get_session(db, tok)
+
+        with patch.object(session_repo, "get_session", side_effect=_tracking):
+            resp1 = await client.get(
+                "/api/dashboard/status",
+                headers={"Authorization": f"Bearer {token}"},
+            )
+            resp2 = await client.get(
+                "/api/dashboard/status",
+                headers={"Authorization": f"Bearer {token}"},
+            )
+
+        assert resp1.status_code == 200
+        assert resp2.status_code == 200
+        # DB queried exactly once: the first request populates the cache,
+        # the second request is served entirely from memory.
+        assert call_count == 1
+
+    async def test_token_enters_cache_after_first_auth(
+        self, client: AsyncClient
+    ) -> None:
+        """A successful auth request places the token in ``_session_cache``."""
+        from app import dependencies
+
+        await _do_setup(client)
+        token = await _login(client)
+
+        dependencies.clear_session_cache()
+        assert token not in dependencies._session_cache
+
+        await client.get(
+            "/api/dashboard/status",
+            headers={"Authorization": f"Bearer {token}"},
+        )
+
+        assert token in dependencies._session_cache
+
+    async def test_logout_evicts_token_from_cache(
+        self, client: AsyncClient
+    ) -> None:
+        """Logout removes the session token from the in-memory cache immediately."""
+        from app import dependencies
+
+        await _do_setup(client)
+        token = await _login(client)
+
+        # Warm the cache.
+        await client.get(
+            "/api/dashboard/status",
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        assert token in dependencies._session_cache
+
+        # Logout must evict the entry.
+        await client.post(
+            "/api/auth/logout",
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        assert token not in dependencies._session_cache
+
         response = await client.get("/api/health")
         assert response.status_code == 200