feat(gui): add auth core, setup gate, and first-run operator creation

- Add migrations 007-010 for system config, operators, sessions, audit_log
- Implement argon2id password hashing via argon2-cffi
- Implement session-based authentication with database-stored tokens
- Add SetupGateMiddleware to redirect to /setup until first operator created
- Add SessionMiddleware to load session from cookie and attach operator
- Create /setup, /login, /logout, /change-password routes with CSRF protection
- Add periodic session cleanup task (hourly)
- Add audit logging for auth events
- Update systemd unit with EnvironmentFile for /etc/central/central.env
- Add comprehensive tests for auth, middleware, and audit modules

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

sql/migrations/010_add_audit_log.sql

@@ -0,0 +1,15 @@
+-- Migration 010: Add config.audit_log table
+-- Idempotent per docs/migrations.md
+
+CREATE TABLE IF NOT EXISTS config.audit_log (
+    id BIGSERIAL PRIMARY KEY,
+    ts TIMESTAMPTZ NOT NULL DEFAULT now(),
+    operator_id BIGINT REFERENCES config.operators(id) ON DELETE SET NULL,
+    action TEXT NOT NULL,
+    target TEXT,
+    before JSONB,
+    after JSONB
+);
+
+CREATE INDEX IF NOT EXISTS audit_log_ts_idx ON config.audit_log(ts DESC);
+CREATE INDEX IF NOT EXISTS audit_log_action_idx ON config.audit_log(action);