server: embed web SPA at /, wire build pipeline

- Add internal/server/web/embed.go with //go:embed all:dist and a
  SPA fallback shim: file-not-found → serve index.html at 200.
- Commit dist/.gitkeep and dist/index.html (placeholder) so go build
  works on a fresh clone; real build output stays gitignored.
- Mount web.Handler() as GET /* catch-all in server.go after /api/v1
  so API routes and probe endpoints shadow the wildcard.
- Add three server tests: ServesSPAAtRoot, SPAFallbackForNonAPIPath,
  APIPathsBypassSPA; update NotFoundReturnsProblemJSON for SPA era.
- Extend Justfile with web-{install,dev,build,test,lint,clean} targets;
  build now depends on web-build.
- Add node:20-alpine web-builder stage to Dockerfile; COPY dist into
  the Go builder stage before compiling.

session: extend List response with summary, turn_count, token totals, model

Add five aggregate fields to Session struct (Summary, TurnCount,
TokensInTotal, TokensOutTotal, Model) populated via a new
sessionListSelectColumns const that wraps correlated subqueries.
List uses the new const; Get is unchanged.

TestList_Aggregates covers: zero turns, long-content truncation to 200
chars, mixed-role model tracking (newest turn wins), and NULL token sums.

feat(cmd): wire server with /healthz /readyz /metrics + authed /api/v1

Phase 9 of lethe-server: thin main.go that loads config, registers every
steward asset, and orchestrates Inject -> Init -> Start -> wait -> Stop ->
Destroy. Compensates for the Phase 4 finding (steward.Manager does not
unwind on Init failure) by tracking destroyer-implementing assets in a
parallel slice and invoking Destroy in reverse registration order with a
per-call timeout when Init or Start fails.

Server.Start now opens its TCP listener synchronously and exposes the
bound address via Addr(), so the e2e smoke can bind to 127.0.0.1:0 and
discover the kernel-assigned port.

Adds an end-to-end smoke test that drives the real steward graph
(in-memory SQLite, real loopback listener, forward-auth) through ingest +
sessions list/detail for two users with the same composite session key,
proving owner isolation reaches all the way through the trust boundary.

Deletes internal/platform/health/steward_unwind_test.go: the canary's
purpose was to surface the unwind gap so Phase 9 could compensate, which
it now does.

README updated with consolidated curl quickstart (forward-auth + OIDC
bearer variants), trust-chain diagram and the proxy-must-strip-Remote-*
spoofing note, response-shape documentation for the API surface, and an
operational notes section covering health, metrics, lifecycle and logs.

feat(session): list and detail JSON API with filters

feat(ingest): NDJSON ingest with chunked transactions and partial-accept

feat(auth): forward-auth + OIDC bearer middleware with shared allowlist

feat(http): chi server with middleware stack + RFC 7807 problem renderer

feat(platform): scribe logger, prometheus registry, health checker set

feat(db): SQLite schema with FTS5 + migration runner

feat(config): viper-loaded config with fail-fast validation

feat: bootstrap lethe server skeleton + wire contract