feat: add GFM markdown support including tables via remark-gfm

fix: store full opencode tool output and display it in session view

- Collector sender now supports Remote-User header for forward-auth
- OpenCode parser: store full tool output (was truncated to 120 chars + first line)
- OpenCode parser: generate fallback content for tool-only turns instead of empty content
- OpenCode parser: increase parse timeout to 5min for large DBs
- Frontend: show collapsible tool output in session detail below turn body
- Frontend: extract toolOutput from both opencode ({output}) and claude-code ({content}) formats

chore: track task file and dist update for search UI

chore: update TODO and dist after search UI merge

fix: add tool column to search table; remove conversation bleed from comments

search: add /api/v1/search API and opencode collector parser

- Add FTS5 search repository with BM25 ranking, cursor pagination, and owner scoping
- Expose GET /api/v1/search with query, tool, host, since/until filters
- Add opencode collector parser reading from SQLite opencode.db
- Spike document recording canonical opencode storage format

Invariants: no schema migrations, no wire type changes, read-only search,
marker snippets (not HTML), invalid queries → 400 INVALID, parser interface
unchanged, collector state schema preserved, stats/react stubs untouched.

Reviewed: offset fix (message.rowid instead of time_created for progress marker),
all 22 test packages pass.

collector: persist skipped-only parser progress

collector: enforce outbox cap before replay

collector: fix daemon drain and backfill start

collector: preserve valid rows around ingest errors

collector: skip rejected rows after partial ingest

collector: add polling source runner

collector: align ingest sender with server response

collector: add ingest sender and outbox replay

collector: add config and state store

collector: add Claude Code parser

web: prune lethe_auth_failures log to the 5-min window on insert

oidcstub: percent-encode authorize redirect query params (PC1)

server/web: fail loud when index.html lacks </head> for config injection

web: AuthGate consolidates three "not authenticated" cards

Create AuthGate component as the single source of truth for the
unauthenticated UI. Cold renders show a manual sign-in button (IV7);
mid-session expiry auto-redirects via useEffect (IV7); auth_error shows
the distinct error card with a "Try again" button and never auto-retries
(IV6). Swap the inline AuthError cards at index, projects, and
SavedSearchesSection call sites.