feat(web): login-gated BFF auth — sealed session cookie + server-side token injection

Single-user, LAN-reachable-but-gated. The web server is a backend-for-frontend:

- Login: POST /_auth/login {password} checks PUNKTFUNK_UI_PASSWORD (constant-time) and
  sets a SEALED session cookie (h3 useSession / AES-GCM). server/middleware/auth.ts gates
  every request — pages 302 → /login, /api → 401 — and FAILS CLOSED (503) when
  PUNKTFUNK_UI_PASSWORD is unset, so a misconfigured LAN-exposed server admits no one.
- The management API stays loopback-only + token (never LAN-exposed). The proxy
  (server/routes/api/[...].ts) injects PUNKTFUNK_MGMT_TOKEN server-side and drops the
  browser's cookie before forwarding — the token never reaches the browser, which only
  holds the session cookie.

Nitro doesn't auto-scan a server/ dir, so the Nitro plugin gets an explicit scanDirs to
pick up middleware + routes. Client: removed the localStorage token (server injects it);
the fetcher bounces to /login on 401; new /login page (bare, no shell); Settings drops the
token field and gains a Sign-out button; en/de strings.

Validated live end to end: unauth /→302, /api→401; wrong pw→401; right pw→200+cookie;
authed /api/v1/status→200 (proxied, mgmt token injected — the host required it); logout→
session cleared→401. tsc + build green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

web/src/api/fetcher.ts

@@ -1,24 +1,11 @@
 // The fetch mutator orval-generated hooks call: `apiFetch<T>(url, RequestInit)`. orval is
 // configured (includeHttpResponseReturnType: false) so `T` is the response BODY; on an HTTP
-// error we THROW an `ApiError` so React Query's `isError` works (the query client is
-// configured not to retry 4xx — see src/router.tsx).
+// error we THROW an `ApiError` so React Query's `isError` works (the query client skips
+// retries on 4xx — see src/router.tsx).
 //
-// Centralizes the bearer token (from Settings → localStorage). In dev, requests use a
-// relative `/api/...` path that Vite proxies to the management host (same-origin, no CORS,
-// the token rides along); a production build served by the host hits the same path.
-
-const TOKEN_KEY = 'punktfunk.apiToken'
-
-export function getApiToken(): string {
-  if (typeof localStorage === 'undefined') return ''
-  return localStorage.getItem(TOKEN_KEY) ?? ''
-}
-
-export function setApiToken(token: string): void {
-  if (typeof localStorage === 'undefined') return
-  if (token) localStorage.setItem(TOKEN_KEY, token)
-  else localStorage.removeItem(TOKEN_KEY)
-}
+// Auth: requests are same-origin to `/api/...`; the browser sends only the session cookie
+// (the server-side proxy injects the management bearer token — the token never lives in the
+// browser). A 401 means the session is gone → bounce to /login.
 
 /** A failed API call. `status` is the HTTP code; `data` is the parsed `ApiError` body if any. */
 export class ApiError extends Error {
@@ -33,19 +20,26 @@ export class ApiError extends Error {
 }
 
 export async function apiFetch<T>(url: string, options?: RequestInit): Promise<T> {
-  const token = getApiToken()
   const headers = new Headers(options?.headers)
   headers.set('Accept', 'application/json')
-  if (token) headers.set('Authorization', `Bearer ${token}`)
 
-  const res = await fetch(url, { ...options, headers })
+  const res = await fetch(url, { ...options, headers, credentials: 'same-origin' })
 
   const text = await res.text()
   const body = text ? safeJson(text) : undefined
+  if (res.status === 401) redirectToLogin()
   if (!res.ok) throw new ApiError(res.status, body, res.statusText)
   return body as T
 }
 
+/** On lost session, send the user to the login screen, remembering where they were. */
+function redirectToLogin(): void {
+  if (typeof window === 'undefined') return
+  if (window.location.pathname === '/login') return
+  const next = encodeURIComponent(window.location.pathname)
+  window.location.href = `/login?next=${next}`
+}
+
 function safeJson(text: string): unknown {
   try {
     return JSON.parse(text)