Single-user auth: argon2 password, session cookie, route/SSE guard

[Ryan-Atkinson87]

Spec: §12 (UI scope — auth mechanism), §15 (auth resolved item), §10.

Login required even on LAN. A single-user password verified against an argon2 hash held as the AUTH_PASSWORD_HASH secret, establishing an HTTP-only server-side session cookie; one FastAPI dependency guards all routes and the SSE stream. No user table, no registration.

Acceptance criteria

• POST /login verifies the submitted password against the argon2 hash from AUTH_PASSWORD_HASH.
• On success, sets an HTTP-only session cookie (Secure + SameSite).
• POST /logout invalidates the session.
• One FastAPI dependency guards all protected routes and the SSE stream; unauthenticated requests get 401.
• No user table and no registration endpoint (single human, single local server).
• Failed logins return a generic 401; no leaking of validity beyond standard argon2 verification.
• Tests cover login success, login failure, protected-route rejection without a session, and access with a valid session.

Dependencies

Depends on: #2, #5