chore: track task file and dist update for search UI

chore: update TODO and dist after search UI merge

fix: add tool column to search table; remove conversation bleed from comments

search: add /api/v1/search API and opencode collector parser

- Add FTS5 search repository with BM25 ranking, cursor pagination, and owner scoping
- Expose GET /api/v1/search with query, tool, host, since/until filters
- Add opencode collector parser reading from SQLite opencode.db
- Spike document recording canonical opencode storage format

Invariants: no schema migrations, no wire type changes, read-only search,
marker snippets (not HTML), invalid queries → 400 INVALID, parser interface
unchanged, collector state schema preserved, stats/react stubs untouched.

Reviewed: offset fix (message.rowid instead of time_created for progress marker),
all 22 test packages pass.

collector: persist skipped-only parser progress

collector: enforce outbox cap before replay

collector: fix daemon drain and backfill start

collector: preserve valid rows around ingest errors

collector: skip rejected rows after partial ingest

collector: add polling source runner

collector: align ingest sender with server response

collector: add ingest sender and outbox replay

collector: add config and state store

collector: add Claude Code parser

web: prune lethe_auth_failures log to the 5-min window on insert

oidcstub: percent-encode authorize redirect query params (PC1)

server/web: fail loud when index.html lacks </head> for config injection

web: AuthGate consolidates three "not authenticated" cards

Create AuthGate component as the single source of truth for the
unauthenticated UI. Cold renders show a manual sign-in button (IV7);
mid-session expiry auto-redirects via useEffect (IV7); auth_error shows
the distinct error card with a "Try again" button and never auto-retries
(IV6). Swap the inline AuthError cards at index, projects, and
SavedSearchesSection call sites.

web: /login + /auth/callback routes + auth context + config reader

- web/src/lib/config.ts: readConfig() reads window.__LETHE_CONFIG__ (IF1),
  converts client_id -> clientId, throws on absent config (GPC6)
- web/src/lib/authContext.tsx: AuthProvider subscribes to tokenStore, parses
  ID token name claim, exposes signIn/signOut/reportAuthError via context;
  hasBeenAuthenticated flag supports IV7 cold-vs-session distinction
- web/src/routes/login.tsx: /login route calls signIn(return_to) on mount
- web/src/routes/auth.callback.tsx: validates state+TTL, exchanges code via
  raw fetch to OP /token (allowed exception), stores access_token via
  tokenStore.set, anti-loop guard using countCallbackFailures (IV6)
- web/src/routes/__root.tsx: wraps tree in AuthProvider above
  KeyboardCursorContext
- web/src/routeTree.gen.ts: regenerated by Vite with /login and /auth/callback
- internal/server/web/dist/index.html: rebuilt artifact with new asset hashes

server/web: tag Config fields for snake_case JSON output (IF1 contract)