feat(gui): add auth core, setup gate, and first-run operator creation

- Add migrations 007-010 for system config, operators, sessions, audit_log
- Implement argon2id password hashing via argon2-cffi
- Implement session-based authentication with database-stored tokens
- Add SetupGateMiddleware to redirect to /setup until first operator created
- Add SessionMiddleware to load session from cookie and attach operator
- Create /setup, /login, /logout, /change-password routes with CSRF protection
- Add periodic session cleanup task (hourly)
- Add audit logging for auth events
- Update systemd unit with EnvironmentFile for /etc/central/central.env
- Add comprehensive tests for auth, middleware, and audit modules

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

sql/migrations/009_add_sessions.sql

@@ -0,0 +1,11 @@
+-- Migration 009: Add config.sessions table for auth tokens
+-- Idempotent per docs/migrations.md
+
+CREATE TABLE IF NOT EXISTS config.sessions (
+    token TEXT PRIMARY KEY,
+    operator_id BIGINT NOT NULL REFERENCES config.operators(id) ON DELETE CASCADE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    expires_at TIMESTAMPTZ NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS sessions_expires_at_idx ON config.sessions(expires_at);