web: prune lethe_auth_failures log to the 5-min window on insert

oidcstub: percent-encode authorize redirect query params (PC1)

server/web: fail loud when index.html lacks </head> for config injection

docs(lethe-web-ui-login): record verify checks

docs(lethe-web-ui-login): plan + execute hands-off decisions

web: AuthGate consolidates three "not authenticated" cards

Create AuthGate component as the single source of truth for the
unauthenticated UI. Cold renders show a manual sign-in button (IV7);
mid-session expiry auto-redirects via useEffect (IV7); auth_error shows
the distinct error card with a "Try again" button and never auto-retries
(IV6). Swap the inline AuthError cards at index, projects, and
SavedSearchesSection call sites.

web: /login + /auth/callback routes + auth context + config reader

- web/src/lib/config.ts: readConfig() reads window.__LETHE_CONFIG__ (IF1),
  converts client_id -> clientId, throws on absent config (GPC6)
- web/src/lib/authContext.tsx: AuthProvider subscribes to tokenStore, parses
  ID token name claim, exposes signIn/signOut/reportAuthError via context;
  hasBeenAuthenticated flag supports IV7 cold-vs-session distinction
- web/src/routes/login.tsx: /login route calls signIn(return_to) on mount
- web/src/routes/auth.callback.tsx: validates state+TTL, exchanges code via
  raw fetch to OP /token (allowed exception), stores access_token via
  tokenStore.set, anti-loop guard using countCallbackFailures (IV6)
- web/src/routes/__root.tsx: wraps tree in AuthProvider above
  KeyboardCursorContext
- web/src/routeTree.gen.ts: regenerated by Vite with /login and /auth/callback
- internal/server/web/dist/index.html: rebuilt artifact with new asset hashes

server/web: tag Config fields for snake_case JSON output (IF1 contract)

web: PKCE machinery + Authorization-header attachment in apiFetch

oidcstub: implement /authorize + /token auth-code+PKCE; inject window.__LETHE_CONFIG__ into SPA

docs(lethe-web-ui-palette-savedsearch): record review pass + conclusion

savedsearch: reject ?owner= on DELETE; cover all write paths in test (IV2)

web: palette — gate prefetch with enabled+staleTime per plan 4.2

docs(lethe-web-ui-palette-savedsearch): record verify-driven fix-up + checks

test(lethe): register savedsearch repo+handler in e2e steward graph

docs(lethe-web-ui-palette-savedsearch): plan + execute deviations

web: palette items — projects, sessions, saved searches

Extend the command palette with three new item kinds (project, session,
saved) backed by unconditional TanStack Query hooks. Items are grouped in
fixed order (jump → projects → sessions → saved) with section headers;
fire() dispatches kind-aware navigation; .palette-group-head CSS added.

web: sectioned /settings with saved-searches CRUD

Add four TanStack Query hooks (useSavedSearches, useCreateSavedSearch,
useUpdateSavedSearch, useDeleteSavedSearch) backed by IF3 contract.
Introduce apiFetchVoid in client.ts for the 204 No Content DELETE path.
Replace the placeholder /settings route with a two-column sectioned shell
(SectionRail + SavedSearchesSection); Display section is disabled pending #8.

web: adapter — add Session.sessionId, SavedSearch DTO; fix composite-id call sites

savedsearch: add /api/v1/saved-searches CRUD with 0002 migration