auth: integrate oidcstub as opt-in dev OP under auth.oidc.dev_stub

config: add auth.oidc.dev_stub block (disabled by default)

auth: lift oidc test stub into internal/testutil/oidcstub

tooling: adopt go tool directives; rename air→dev; bundle fmt drift

- Justfile: rename `air:` to `dev:`, body uses `go tool air`; the three
  migrate recipes use `go tool migrate`; `fmt` adds `go fix ./...`.
  Stale `brew install golang-migrate` comment block replaced with the
  one-line `go get -tool` bootstrap hint.
- README.md: quickstart says `just dev`.
- go.mod: declare github.com/air-verse/air and golang-migrate's cmd
  in the `tool` block (Go 1.24+) so contributors never need a separate
  install step. Updates go.sum accordingly.
- internal/domain/stats/repository.go: pre-existing `HostSplit` indent
  drift + trailing newline, surfaced by goimports inside the new fmt
  recipe.

project: drop unreachable rawHosts/rawTools fields on Project

The struct literal carried two unexported fields with
db:"raw_hosts" / db:"raw_tools" tags, but the actual scan
target is the local rawRow struct in List() that does the
GROUP_CONCAT split + dedupe before assigning Hosts/Tools.
sqlx silently ignores the unexported fields, so they never
held any data; they just confused the next reader of the
type definition.

web: review fixes for projects/stats SPA routes

- ProjectsTable: drop the inner navigate call from handleOpen;
  the parent route already navigates via the onOpen callback,
  so the second push was creating a duplicate history entry
  on every row click. Matches the SessionsTable pattern.

- HorizontalBars: replace href:string with onActivate(row)
  callback. The earlier shape passed a pre-encoded path
  string straight into TanStack <Link to={...}>; routing the
  navigation through the typed (to, params) form via the
  caller avoids any double-encoding ambiguity around splat
  params and decouples the primitive from a specific route.

- stats.css: drop duplicated .card / .card-head / .card-body
  blocks. The same rules already live in shell.css (loaded
  globally), so any future divergence between the two copies
  would silently desync.

web: regenerate embedded SPA bundle for stats route

Vite stamps content-hash asset filenames; the Phase 5 source changes
flipped both bundle hashes. The Phase 5 commit (e048bdf) shipped the
source but not the regenerated index.html, which the Go server embeds
via embed.FS to serve the SPA. Re-stage so the embedded asset path
matches the actual bundle on disk.

web: project detail route scoped via ?cwd= sessions filter

web: projects index route with real /projects data

stats: add /api/v1/stats aggregate endpoint

Implements Phase 2 of lethe-web-ui-aggregates: a single-round-trip
/api/v1/stats endpoint that bundles per-tool rollup, daily time-series,
84-cell activity heatmap, top-cwd ranking, hour-of-day distribution, and
host split. All six aggregations run fresh per request; no server cache.

- internal/domain/stats/buckets.go: pure helpers DailyWindow, FillDaily,
  HeatmapWindow, HourWindow — fully deterministic, tested independently.
- internal/domain/stats/repository.go: Filter/Stats types and Repository.Stats
  — six SQL queries joined via sessions+turns, owner scope via OwnerScope
  (AllOwners / SpecificOwner / default), sparkline capped at 60 buckets.
- internal/domain/stats/handler.go: Handler.List — ?range=7d|30d|90d|all
  (default 30d); ?range=<other> → 400 INVALID; ?owner= non-admin → 403.
- internal/server/server.go: register *stats.Handler alongside project/sessions.
- cmd/lethe/main.go: add statsRepo/statsHnd to var block and steward graph.
- cmd/lethe/main_e2e_test.go: add stats.Repository/Handler to e2e graph.

project: add /api/v1/projects aggregation; sessions: add ?cwd= filter

- session.ListFilter gains Cwd *string; List appends working_dir = ?
  clause between Host and Since in fixed order (parameterised, column
  name is a literal)
- session.Handler reads ?cwd= and threads it to filter.Cwd; empty
  string treated as absent, consistent with other optional filters
- new package internal/domain/project:
  - Repository.List groups sessions by non-NULL working_dir in a single
    SQL round-trip; correlated subquery picks top_tool with tie-broken
    by tool ASC; Hosts/Tools deduped and sorted in Go after
    GROUP_CONCAT
  - Handler mounts GET /projects; resolveScope/clampLimit/clampOffset
    duplicated from session handler; ?owner= admin gating identical
- server.Server gains Projects *project.Handler inject field; mounted
  in /api/v1 Route block
- main.go and e2e test register projectRepo + projectHnd with steward

web: session view with turn list and transcript

Phase 6: replace the placeholder session route with the real implementation.
Adds useSession hook (TanStack Query), TurnList aside, Transcript with
react-markdown rendering, session.css, and the updated session route with
SubBar breadcrumb, error/loading states, and turn selection/scroll.

web: home route with real session list, filters, keyboard cursor

- api/client.ts: apiFetch with AuthError/APIError, 401 and problem+json handling
- api/adapters.ts: SessionDTO→Session adapter with composite id and epoch conversion
- api/adapters.test.ts: 6 TDD tests covering all specified edge cases
- features/home/useSessions.ts: TanStack Query hook with since/tool/host params
- features/home/FilterChips.tsx: chip-bar with popovers, Esc/outside-click dismiss
- features/home/SessionsTable.tsx: grid table with cursor row highlight, formatStarted/formatTok
- features/home/useHomeCursor.ts: cursor hook with move/activate/jumpTo
- routes/index.tsx: Home route wired to real data, URL-driven filters, keyboard cursor
- routes/__root.tsx: cursorRef + KeyboardCursorContext for route-local cursor registration
- routes/session.$tool.$host.$id.tsx: stub for Phase 6
- styles/home.css: .home-table/.home-thead/.home-row/.home-row.cursor grid rules
- primitives/ToolDot.tsx: widened tool prop to string (Tool type is open-ended)

web: shell, theme, keyboard, stub routes, palette skeleton

- lib/theme.ts: bootstrapTheme() + setTheme() with OS/localStorage sync
- lib/keyboard.ts: g-prefix nav, j/k cursor, ⌘K palette, Esc, Enter
- lib/theme.test.ts + lib/keyboard.test.ts: 26 vitest tests (TDD)
- shell/TopBar.tsx: brand crumb, search trigger, tab nav using router pathname
- shell/SubBar.tsx: slot component with optional right section
- shell/Palette.tsx: modal overlay, JUMP items, synthetic SEARCH row
- styles/shell.css + styles/palette.css: ported verbatim from prototype.css
- routes/__root.tsx: wires TopBar, Outlet, Palette, keyboard controller, bootstrapTheme
- routes/index.tsx + projects/stats/health/settings/search.tsx: EmptyState stubs
- main.tsx: replace scaffold div with RouterProvider
- vitest.config.ts: add jsdom url for localStorage support (Node 25 compat)

server: embed web SPA at /, wire build pipeline

- Add internal/server/web/embed.go with //go:embed all:dist and a
  SPA fallback shim: file-not-found → serve index.html at 200.
- Commit dist/.gitkeep and dist/index.html (placeholder) so go build
  works on a fresh clone; real build output stays gitignored.
- Mount web.Handler() as GET /* catch-all in server.go after /api/v1
  so API routes and probe endpoints shadow the wildcard.
- Add three server tests: ServesSPAAtRoot, SPAFallbackForNonAPIPath,
  APIPathsBypassSPA; update NotFoundReturnsProblemJSON for SPA era.
- Extend Justfile with web-{install,dev,build,test,lint,clean} targets;
  build now depends on web-build.
- Add node:20-alpine web-builder stage to Dockerfile; COPY dist into
  the Go builder stage before compiling.

session: extend List response with summary, turn_count, token totals, model

Add five aggregate fields to Session struct (Summary, TurnCount,
TokensInTotal, TokensOutTotal, Model) populated via a new
sessionListSelectColumns const that wraps correlated subqueries.
List uses the new const; Get is unchanged.

TestList_Aggregates covers: zero turns, long-content truncation to 200
chars, mixed-role model tracking (newest turn wins), and NULL token sums.

feat(cmd): wire server with /healthz /readyz /metrics + authed /api/v1

Phase 9 of lethe-server: thin main.go that loads config, registers every
steward asset, and orchestrates Inject -> Init -> Start -> wait -> Stop ->
Destroy. Compensates for the Phase 4 finding (steward.Manager does not
unwind on Init failure) by tracking destroyer-implementing assets in a
parallel slice and invoking Destroy in reverse registration order with a
per-call timeout when Init or Start fails.

Server.Start now opens its TCP listener synchronously and exposes the
bound address via Addr(), so the e2e smoke can bind to 127.0.0.1:0 and
discover the kernel-assigned port.

Adds an end-to-end smoke test that drives the real steward graph
(in-memory SQLite, real loopback listener, forward-auth) through ingest +
sessions list/detail for two users with the same composite session key,
proving owner isolation reaches all the way through the trust boundary.

Deletes internal/platform/health/steward_unwind_test.go: the canary's
purpose was to surface the unwind gap so Phase 9 could compensate, which
it now does.

README updated with consolidated curl quickstart (forward-auth + OIDC
bearer variants), trust-chain diagram and the proxy-must-strip-Remote-*
spoofing note, response-shape documentation for the API surface, and an
operational notes section covering health, metrics, lifecycle and logs.

feat(session): list and detail JSON API with filters

feat(ingest): NDJSON ingest with chunked transactions and partial-accept

feat(auth): forward-auth + OIDC bearer middleware with shared allowlist