web: prune lethe_auth_failures log to the 5-min window on insert

server/web: fail loud when index.html lacks </head> for config injection

web: AuthGate consolidates three "not authenticated" cards

Create AuthGate component as the single source of truth for the
unauthenticated UI. Cold renders show a manual sign-in button (IV7);
mid-session expiry auto-redirects via useEffect (IV7); auth_error shows
the distinct error card with a "Try again" button and never auto-retries
(IV6). Swap the inline AuthError cards at index, projects, and
SavedSearchesSection call sites.

web: /login + /auth/callback routes + auth context + config reader

- web/src/lib/config.ts: readConfig() reads window.__LETHE_CONFIG__ (IF1),
  converts client_id -> clientId, throws on absent config (GPC6)
- web/src/lib/authContext.tsx: AuthProvider subscribes to tokenStore, parses
  ID token name claim, exposes signIn/signOut/reportAuthError via context;
  hasBeenAuthenticated flag supports IV7 cold-vs-session distinction
- web/src/routes/login.tsx: /login route calls signIn(return_to) on mount
- web/src/routes/auth.callback.tsx: validates state+TTL, exchanges code via
  raw fetch to OP /token (allowed exception), stores access_token via
  tokenStore.set, anti-loop guard using countCallbackFailures (IV6)
- web/src/routes/__root.tsx: wraps tree in AuthProvider above
  KeyboardCursorContext
- web/src/routeTree.gen.ts: regenerated by Vite with /login and /auth/callback
- internal/server/web/dist/index.html: rebuilt artifact with new asset hashes

server/web: tag Config fields for snake_case JSON output (IF1 contract)

oidcstub: implement /authorize + /token auth-code+PKCE; inject window.__LETHE_CONFIG__ into SPA

web: palette — gate prefetch with enabled+staleTime per plan 4.2

web: palette items — projects, sessions, saved searches

Extend the command palette with three new item kinds (project, session,
saved) backed by unconditional TanStack Query hooks. Items are grouped in
fixed order (jump → projects → sessions → saved) with section headers;
fire() dispatches kind-aware navigation; .palette-group-head CSS added.

web: sectioned /settings with saved-searches CRUD

Add four TanStack Query hooks (useSavedSearches, useCreateSavedSearch,
useUpdateSavedSearch, useDeleteSavedSearch) backed by IF3 contract.
Introduce apiFetchVoid in client.ts for the 204 No Content DELETE path.
Replace the placeholder /settings route with a two-column sectioned shell
(SectionRail + SavedSearchesSection); Display section is disabled pending #8.

savedsearch: add /api/v1/saved-searches CRUD with 0002 migration

web: add lambda favicon (svg + ico + apple-touch-icon)

Introduces the project mark — a Greek capital lambda Λ (initial of
Λήθη / Lethe) standing above a stylized rust ripple on a deep ink
plate. Reads as a glyph at 16 px; the ripple and inner rim emerge
at 32 px and above.

Three formats are shipped via web/public/ so Vite copies them
verbatim into the embedded dist bundle:

  - favicon.svg          canonical 64x64 vector source
  - favicon.ico          16/32/48 multi-resolution legacy fallback
  - apple-touch-icon.png 180x180 iOS home-screen bookmark

The ICO and PNG were rasterized from the SVG with rsvg-convert
(ImageMagick's built-in MSVG renderer drops strokes); magick is
only used to assemble the multi-image ICO container.

The dist/ placeholder index.html is regenerated alongside so a
fresh clone that hasn't run web-build yet still serves the icon
links from the committed fallback HTML.

auth: fix OIDCVerifier injection wiring + OIDCDevStub root attachment

Surfaced by the first end-to-end smoke of `auth.oidc.enabled=true`:

- `OIDCVerifier.Cfg` was typed `config.OIDCConfig`, but only `AuthConfig`
  is registered as a `config-section:""` (config.go:31-37). Steward's
  type-keyed injection threw `failed to find dependency` at `mgr.Inject`,
  panicking the daemon. Latent since 80b1c09 — never reached because no
  prior verified path enabled OIDC. Retyped to `config.AuthConfig`,
  Init now reads `Cfg.OIDC.{Issuer,Audience,UsernameClaim}`. Sibling-
  consistent with `Authenticator` and `OIDCDevStub`.

- `OIDCDevStub` had no dependents and no `steward.Root()` modifier, so
  steward logged `ERR empty dependents asset without root option` and
  skipped it in lifecycle bookkeeping (Destroy never called on shutdown).
  Added `steward.Root()` to its registration; shutdown log now shows
  `destroying component component=auth.OIDCDevStub`.

auth: integrate oidcstub as opt-in dev OP under auth.oidc.dev_stub

auth: lift oidc test stub into internal/testutil/oidcstub

web: review fixes for projects/stats SPA routes

- ProjectsTable: drop the inner navigate call from handleOpen;
  the parent route already navigates via the onOpen callback,
  so the second push was creating a duplicate history entry
  on every row click. Matches the SessionsTable pattern.

- HorizontalBars: replace href:string with onActivate(row)
  callback. The earlier shape passed a pre-encoded path
  string straight into TanStack <Link to={...}>; routing the
  navigation through the typed (to, params) form via the
  caller avoids any double-encoding ambiguity around splat
  params and decouples the primitive from a specific route.

- stats.css: drop duplicated .card / .card-head / .card-body
  blocks. The same rules already live in shell.css (loaded
  globally), so any future divergence between the two copies
  would silently desync.

web: regenerate embedded SPA bundle for stats route

Vite stamps content-hash asset filenames; the Phase 5 source changes
flipped both bundle hashes. The Phase 5 commit (e048bdf) shipped the
source but not the regenerated index.html, which the Go server embeds
via embed.FS to serve the SPA. Re-stage so the embedded asset path
matches the actual bundle on disk.

web: project detail route scoped via ?cwd= sessions filter

web: projects index route with real /projects data

stats: add /api/v1/stats aggregate endpoint

Implements Phase 2 of lethe-web-ui-aggregates: a single-round-trip
/api/v1/stats endpoint that bundles per-tool rollup, daily time-series,
84-cell activity heatmap, top-cwd ranking, hour-of-day distribution, and
host split. All six aggregations run fresh per request; no server cache.

- internal/domain/stats/buckets.go: pure helpers DailyWindow, FillDaily,
  HeatmapWindow, HourWindow — fully deterministic, tested independently.
- internal/domain/stats/repository.go: Filter/Stats types and Repository.Stats
  — six SQL queries joined via sessions+turns, owner scope via OwnerScope
  (AllOwners / SpecificOwner / default), sparkline capped at 60 buckets.
- internal/domain/stats/handler.go: Handler.List — ?range=7d|30d|90d|all
  (default 30d); ?range=<other> → 400 INVALID; ?owner= non-admin → 403.
- internal/server/server.go: register *stats.Handler alongside project/sessions.
- cmd/lethe/main.go: add statsRepo/statsHnd to var block and steward graph.
- cmd/lethe/main_e2e_test.go: add stats.Repository/Handler to e2e graph.

project: add /api/v1/projects aggregation; sessions: add ?cwd= filter

- session.ListFilter gains Cwd *string; List appends working_dir = ?
  clause between Host and Since in fixed order (parameterised, column
  name is a literal)
- session.Handler reads ?cwd= and threads it to filter.Cwd; empty
  string treated as absent, consistent with other optional filters
- new package internal/domain/project:
  - Repository.List groups sessions by non-NULL working_dir in a single
    SQL round-trip; correlated subquery picks top_tool with tie-broken
    by tool ASC; Hosts/Tools deduped and sorted in Go after
    GROUP_CONCAT
  - Handler mounts GET /projects; resolveScope/clampLimit/clampOffset
    duplicated from session handler; ?owner= admin gating identical
- server.Server gains Projects *project.Handler inject field; mounted
  in /api/v1 Route block
- main.go and e2e test register projectRepo + projectHnd with steward