web: AuthGate consolidates three "not authenticated" cards

Create AuthGate component as the single source of truth for the
unauthenticated UI. Cold renders show a manual sign-in button (IV7);
mid-session expiry auto-redirects via useEffect (IV7); auth_error shows
the distinct error card with a "Try again" button and never auto-retries
(IV6). Swap the inline AuthError cards at index, projects, and
SavedSearchesSection call sites.

web: /login + /auth/callback routes + auth context + config reader

- web/src/lib/config.ts: readConfig() reads window.__LETHE_CONFIG__ (IF1),
  converts client_id -> clientId, throws on absent config (GPC6)
- web/src/lib/authContext.tsx: AuthProvider subscribes to tokenStore, parses
  ID token name claim, exposes signIn/signOut/reportAuthError via context;
  hasBeenAuthenticated flag supports IV7 cold-vs-session distinction
- web/src/routes/login.tsx: /login route calls signIn(return_to) on mount
- web/src/routes/auth.callback.tsx: validates state+TTL, exchanges code via
  raw fetch to OP /token (allowed exception), stores access_token via
  tokenStore.set, anti-loop guard using countCallbackFailures (IV6)
- web/src/routes/__root.tsx: wraps tree in AuthProvider above
  KeyboardCursorContext
- web/src/routeTree.gen.ts: regenerated by Vite with /login and /auth/callback
- internal/server/web/dist/index.html: rebuilt artifact with new asset hashes

server/web: tag Config fields for snake_case JSON output (IF1 contract)

oidcstub: implement /authorize + /token auth-code+PKCE; inject window.__LETHE_CONFIG__ into SPA

savedsearch: reject ?owner= on DELETE; cover all write paths in test (IV2)

web: palette — gate prefetch with enabled+staleTime per plan 4.2

web: palette items — projects, sessions, saved searches

Extend the command palette with three new item kinds (project, session,
saved) backed by unconditional TanStack Query hooks. Items are grouped in
fixed order (jump → projects → sessions → saved) with section headers;
fire() dispatches kind-aware navigation; .palette-group-head CSS added.

web: sectioned /settings with saved-searches CRUD

Add four TanStack Query hooks (useSavedSearches, useCreateSavedSearch,
useUpdateSavedSearch, useDeleteSavedSearch) backed by IF3 contract.
Introduce apiFetchVoid in client.ts for the 204 No Content DELETE path.
Replace the placeholder /settings route with a two-column sectioned shell
(SectionRail + SavedSearchesSection); Display section is disabled pending #8.

savedsearch: add /api/v1/saved-searches CRUD with 0002 migration

web: add lambda favicon (svg + ico + apple-touch-icon)

Introduces the project mark — a Greek capital lambda Λ (initial of
Λήθη / Lethe) standing above a stylized rust ripple on a deep ink
plate. Reads as a glyph at 16 px; the ripple and inner rim emerge
at 32 px and above.

Three formats are shipped via web/public/ so Vite copies them
verbatim into the embedded dist bundle:

  - favicon.svg          canonical 64x64 vector source
  - favicon.ico          16/32/48 multi-resolution legacy fallback
  - apple-touch-icon.png 180x180 iOS home-screen bookmark

The ICO and PNG were rasterized from the SVG with rsvg-convert
(ImageMagick's built-in MSVG renderer drops strokes); magick is
only used to assemble the multi-image ICO container.

The dist/ placeholder index.html is regenerated alongside so a
fresh clone that hasn't run web-build yet still serves the icon
links from the committed fallback HTML.

auth: fix OIDCVerifier injection wiring + OIDCDevStub root attachment

Surfaced by the first end-to-end smoke of `auth.oidc.enabled=true`:

- `OIDCVerifier.Cfg` was typed `config.OIDCConfig`, but only `AuthConfig`
  is registered as a `config-section:""` (config.go:31-37). Steward's
  type-keyed injection threw `failed to find dependency` at `mgr.Inject`,
  panicking the daemon. Latent since 80b1c09 — never reached because no
  prior verified path enabled OIDC. Retyped to `config.AuthConfig`,
  Init now reads `Cfg.OIDC.{Issuer,Audience,UsernameClaim}`. Sibling-
  consistent with `Authenticator` and `OIDCDevStub`.

- `OIDCDevStub` had no dependents and no `steward.Root()` modifier, so
  steward logged `ERR empty dependents asset without root option` and
  skipped it in lifecycle bookkeeping (Destroy never called on shutdown).
  Added `steward.Root()` to its registration; shutdown log now shows
  `destroying component component=auth.OIDCDevStub`.

auth: integrate oidcstub as opt-in dev OP under auth.oidc.dev_stub

config: add auth.oidc.dev_stub block (disabled by default)

auth: lift oidc test stub into internal/testutil/oidcstub

tooling: adopt go tool directives; rename air→dev; bundle fmt drift

- Justfile: rename `air:` to `dev:`, body uses `go tool air`; the three
  migrate recipes use `go tool migrate`; `fmt` adds `go fix ./...`.
  Stale `brew install golang-migrate` comment block replaced with the
  one-line `go get -tool` bootstrap hint.
- README.md: quickstart says `just dev`.
- go.mod: declare github.com/air-verse/air and golang-migrate's cmd
  in the `tool` block (Go 1.24+) so contributors never need a separate
  install step. Updates go.sum accordingly.
- internal/domain/stats/repository.go: pre-existing `HostSplit` indent
  drift + trailing newline, surfaced by goimports inside the new fmt
  recipe.

project: drop unreachable rawHosts/rawTools fields on Project

The struct literal carried two unexported fields with
db:"raw_hosts" / db:"raw_tools" tags, but the actual scan
target is the local rawRow struct in List() that does the
GROUP_CONCAT split + dedupe before assigning Hosts/Tools.
sqlx silently ignores the unexported fields, so they never
held any data; they just confused the next reader of the
type definition.

web: review fixes for projects/stats SPA routes

- ProjectsTable: drop the inner navigate call from handleOpen;
  the parent route already navigates via the onOpen callback,
  so the second push was creating a duplicate history entry
  on every row click. Matches the SessionsTable pattern.

- HorizontalBars: replace href:string with onActivate(row)
  callback. The earlier shape passed a pre-encoded path
  string straight into TanStack <Link to={...}>; routing the
  navigation through the typed (to, params) form via the
  caller avoids any double-encoding ambiguity around splat
  params and decouples the primitive from a specific route.

- stats.css: drop duplicated .card / .card-head / .card-body
  blocks. The same rules already live in shell.css (loaded
  globally), so any future divergence between the two copies
  would silently desync.

web: regenerate embedded SPA bundle for stats route

Vite stamps content-hash asset filenames; the Phase 5 source changes
flipped both bundle hashes. The Phase 5 commit (e048bdf) shipped the
source but not the regenerated index.html, which the Go server embeds
via embed.FS to serve the SPA. Re-stage so the embedded asset path
matches the actual bundle on disk.

web: project detail route scoped via ?cwd= sessions filter

web: projects index route with real /projects data