web: adapter — add Session.sessionId, SavedSearch DTO; fix composite-id call sites

savedsearch: add /api/v1/saved-searches CRUD with 0002 migration

web: add lambda favicon (svg + ico + apple-touch-icon)

Introduces the project mark — a Greek capital lambda Λ (initial of
Λήθη / Lethe) standing above a stylized rust ripple on a deep ink
plate. Reads as a glyph at 16 px; the ripple and inner rim emerge
at 32 px and above.

Three formats are shipped via web/public/ so Vite copies them
verbatim into the embedded dist bundle:

  - favicon.svg          canonical 64x64 vector source
  - favicon.ico          16/32/48 multi-resolution legacy fallback
  - apple-touch-icon.png 180x180 iOS home-screen bookmark

The ICO and PNG were rasterized from the SVG with rsvg-convert
(ImageMagick's built-in MSVG renderer drops strokes); magick is
only used to assemble the multi-image ICO container.

The dist/ placeholder index.html is regenerated alongside so a
fresh clone that hasn't run web-build yet still serves the icon
links from the committed fallback HTML.

docs(lethe-oidc-stub): record review pass + conclusion

docs(lethe-oidc-stub): record verify pass

docs(lethe-oidc-stub): record verify-driven fix-up deviations

auth: fix OIDCVerifier injection wiring + OIDCDevStub root attachment

Surfaced by the first end-to-end smoke of `auth.oidc.enabled=true`:

- `OIDCVerifier.Cfg` was typed `config.OIDCConfig`, but only `AuthConfig`
  is registered as a `config-section:""` (config.go:31-37). Steward's
  type-keyed injection threw `failed to find dependency` at `mgr.Inject`,
  panicking the daemon. Latent since 80b1c09 — never reached because no
  prior verified path enabled OIDC. Retyped to `config.AuthConfig`,
  Init now reads `Cfg.OIDC.{Issuer,Audience,UsernameClaim}`. Sibling-
  consistent with `Authenticator` and `OIDCDevStub`.

- `OIDCDevStub` had no dependents and no `steward.Root()` modifier, so
  steward logged `ERR empty dependents asset without root option` and
  skipped it in lifecycle bookkeeping (Destroy never called on shutdown).
  Added `steward.Root()` to its registration; shutdown log now shows
  `destroying component component=auth.OIDCDevStub`.

docs(lethe-oidc-stub): record execute deviations

auth: integrate oidcstub as opt-in dev OP under auth.oidc.dev_stub

config: add auth.oidc.dev_stub block (disabled by default)

auth: lift oidc test stub into internal/testutil/oidcstub

docs(lethe-oidc-stub): design + plan

docs: track tooling DX and lethe-oidc-stub follow-up (#10)

- TODO.md: mark task #5 (lethe-web-ui-aggregates) Reviewed; add task
  #10 lethe-oidc-stub (promote the in-test oidcTestServer to an
  exported testutil package, optionally a cmd/oidc-stub binary, to
  unblock real-browser smoke without standing up Authelia locally).
  New sections: Repo hygiene / Tooling DX (with the four tooling items
  now landed) and Deferred operational follow-ups (sourcecraft push +
  browser smoke for #5).
- tasks/lethe-web-ui-aggregates.md: cross-ref the deferred browser
  smoke to task #10 in Future work.

tooling: adopt go tool directives; rename air→dev; bundle fmt drift

- Justfile: rename `air:` to `dev:`, body uses `go tool air`; the three
  migrate recipes use `go tool migrate`; `fmt` adds `go fix ./...`.
  Stale `brew install golang-migrate` comment block replaced with the
  one-line `go get -tool` bootstrap hint.
- README.md: quickstart says `just dev`.
- go.mod: declare github.com/air-verse/air and golang-migrate's cmd
  in the `tool` block (Go 1.24+) so contributors never need a separate
  install step. Updates go.sum accordingly.
- internal/domain/stats/repository.go: pre-existing `HostSplit` indent
  drift + trailing newline, surfaced by goimports inside the new fmt
  recipe.

docs(lethe-web-ui-aggregates): record execute, verify, review

Mark task Reviewed. Conclusion captures the eight active
deviations, the four Important review findings (all
resolved in 3fbbfc8 and 1818fac), the verify checklist
(positive / negative / invariant / interface checks all
passing), and the deferred items needing user smoke
through the new SPA routes in a real browser.

project: drop unreachable rawHosts/rawTools fields on Project

The struct literal carried two unexported fields with
db:"raw_hosts" / db:"raw_tools" tags, but the actual scan
target is the local rawRow struct in List() that does the
GROUP_CONCAT split + dedupe before assigning Hosts/Tools.
sqlx silently ignores the unexported fields, so they never
held any data; they just confused the next reader of the
type definition.

web: review fixes for projects/stats SPA routes

- ProjectsTable: drop the inner navigate call from handleOpen;
  the parent route already navigates via the onOpen callback,
  so the second push was creating a duplicate history entry
  on every row click. Matches the SessionsTable pattern.

- HorizontalBars: replace href:string with onActivate(row)
  callback. The earlier shape passed a pre-encoded path
  string straight into TanStack <Link to={...}>; routing the
  navigation through the typed (to, params) form via the
  caller avoids any double-encoding ambiguity around splat
  params and decouples the primitive from a specific route.

- stats.css: drop duplicated .card / .card-head / .card-body
  blocks. The same rules already live in shell.css (loaded
  globally), so any future divergence between the two copies
  would silently desync.

web: regenerate embedded SPA bundle for stats route

Vite stamps content-hash asset filenames; the Phase 5 source changes
flipped both bundle hashes. The Phase 5 commit (e048bdf) shipped the
source but not the regenerated index.html, which the Go server embeds
via embed.FS to serve the SPA. Re-stage so the embedded asset path
matches the actual bundle on disk.

web: stats route with backend-driven chart primitives

web: project detail route scoped via ?cwd= sessions filter