add auth system: users, login, JWT, protected routes

Domain: User entity, AuthPort/PasswordHashPort/SecretStore ports.
Adapters: auth (argon2 hashing, JWT tokens), secret-store (env-based),
config-sqlite user repository, http-api auth routes + extractors.
Application: auth_service. SPA: login page, auth client, protected router.

crates/bootstrap/src/main.rs

@@ -6,6 +6,8 @@ use anyhow::Result;
 use application::DataProjection;
 use config_sqlite::SqliteConfigStore;
 use http_api::AppState;
+use kframe_auth::{Argon2Hasher, AuthConfig, JwtAuthService};
+use secret_store::AesSecretStore;
 use std::sync::Arc;
 use tcp_server::{ClientTracker, TcpBroadcaster, TcpEventBus, run_tcp_server};
 use tracing::{error, info};
@@ -23,13 +25,20 @@ async fn main() -> Result<()> {
 
     let cfg = config::ServerConfig::from_env();
 
+    let auth_config = AuthConfig::from_env().map_err(|e| anyhow::anyhow!(e))?;
+    let secrets = AesSecretStore::from_env().map_err(|e| anyhow::anyhow!(e))?;
+
     info!(db = %cfg.database_url, "connecting to database");
-    let config_store = Arc::new(SqliteConfigStore::new(&cfg.database_url).await?);
+    let secrets = Arc::new(secrets);
+    let config_store =
+        Arc::new(SqliteConfigStore::with_secrets(&cfg.database_url, Some(secrets.clone())).await?);
 
     let event_bus = Arc::new(TcpEventBus::new(64));
     let broadcaster = Arc::new(TcpBroadcaster::new(64));
     let projection = Arc::new(DataProjection::new());
     let tracker = Arc::new(ClientTracker::new());
+    let auth = Arc::new(JwtAuthService::new(auth_config));
+    let hasher = Arc::new(Argon2Hasher);
 
     let tcp_addr = cfg.tcp_addr.clone();
     let tcp_bc = broadcaster.clone();
@@ -50,6 +59,8 @@ async fn main() -> Result<()> {
         widget_states: projection.clone(),
         broadcaster: broadcaster.clone(),
         clients: tracker.clone(),
+        auth: auth.clone(),
+        hasher: hasher.clone(),
         spa_dir: cfg.spa_dir,
     };
     tokio::spawn(async move {