web: map tool-call setting to boolean attribute

web: align tool-call hide selector

web: wire display settings UI

web: add display preference modules

docs(lethe-web-ui-login): record review pass + conclusion

web: prune lethe_auth_failures log to the 5-min window on insert

oidcstub: percent-encode authorize redirect query params (PC1)

server/web: fail loud when index.html lacks </head> for config injection

docs(lethe-web-ui-login): record verify checks

docs(lethe-web-ui-login): plan + execute hands-off decisions

web: AuthGate consolidates three "not authenticated" cards

Create AuthGate component as the single source of truth for the
unauthenticated UI. Cold renders show a manual sign-in button (IV7);
mid-session expiry auto-redirects via useEffect (IV7); auth_error shows
the distinct error card with a "Try again" button and never auto-retries
(IV6). Swap the inline AuthError cards at index, projects, and
SavedSearchesSection call sites.

web: /login + /auth/callback routes + auth context + config reader

- web/src/lib/config.ts: readConfig() reads window.__LETHE_CONFIG__ (IF1),
  converts client_id -> clientId, throws on absent config (GPC6)
- web/src/lib/authContext.tsx: AuthProvider subscribes to tokenStore, parses
  ID token name claim, exposes signIn/signOut/reportAuthError via context;
  hasBeenAuthenticated flag supports IV7 cold-vs-session distinction
- web/src/routes/login.tsx: /login route calls signIn(return_to) on mount
- web/src/routes/auth.callback.tsx: validates state+TTL, exchanges code via
  raw fetch to OP /token (allowed exception), stores access_token via
  tokenStore.set, anti-loop guard using countCallbackFailures (IV6)
- web/src/routes/__root.tsx: wraps tree in AuthProvider above
  KeyboardCursorContext
- web/src/routeTree.gen.ts: regenerated by Vite with /login and /auth/callback
- internal/server/web/dist/index.html: rebuilt artifact with new asset hashes

server/web: tag Config fields for snake_case JSON output (IF1 contract)

web: PKCE machinery + Authorization-header attachment in apiFetch

oidcstub: implement /authorize + /token auth-code+PKCE; inject window.__LETHE_CONFIG__ into SPA

docs(lethe-web-ui-palette-savedsearch): record review pass + conclusion

savedsearch: reject ?owner= on DELETE; cover all write paths in test (IV2)

web: palette — gate prefetch with enabled+staleTime per plan 4.2

docs(lethe-web-ui-palette-savedsearch): record verify-driven fix-up + checks

test(lethe): register savedsearch repo+handler in e2e steward graph