Phase 1 auth security hotfixes: cookie-based session, bearer checks, router guard sync ...

- Remove access_token from OAuth callback URL (token leak fix)
- Add sanitizeReturnTo() to prevent open redirect on login/callback
- Add Bearer token expiration check in resolve_user_by_bearer()
- Add user status check in load_user_by_id() (block inactive/banned)
- Cache authStore.init() promise to prevent race condition
- Await auth init in router beforeEach guard
- Remove URL token parsing from main.js and LoginPage
- Remove hasTokenInUrl workaround from client.js 401 handler

Fix OAuth callback: extract access_token in main.js before auth init, prevent 401 redirect loop in client.js

Integrate Vue webclient into server: serve SPA from /, remove proxy.php, update auth redirects

Route all auth/login requests through proxy.php for cross-domain SPA ...

- Replace direct /auth/login with /proxy.php?path=/auth/login so the
  request reaches the PHP backend through proxy.php when the SPA runs
  on a different domain (panel.smarthome.arp vs 192.168.1.101).
- Pass full window.location.href as return_to so the OAuth callback
  redirects back to the panel domain, not the bare server IP.

Add Bearer token persistence for cross-domain SPA auth ...

- api/auth.js: persist access token in localStorage so it survives
  page reloads and works across domains (panel vs server IP).
- LoginPage.vue: on mount, check for access_token in URL query
  params (from OAuth callback) and initialize auth store.
- AuthController::callback(): append access_token + expires_in to
  the redirect URL so the SPA can capture it.

Fix auth session persistence: add credentials:include to fetch and session_start to auth flow ...

- http.js: add credentials: 'include' to fetch() so cookies are sent
  with every API request (fixes /auth/me returning 401 after callback)
- AuthControllerTrait::resolve_user(): ensure session_start() before
  reading
- AuthController::callback(): ensure session_start() before writing

- AuthService::handleCallback(): defer DB token persistence until
  local user ID is resolved; store temp token data in session
- UserResolver: fix lastInsertId() method name, remove avatarUrl()
  call (use profile array instead)

This fixes the loop where user was redirected back to /login after
successful OAuth callback because PHP session cookie was not sent
with the /auth/me request.

Phase 4: Vue client auth store, Bearer token injection, router guards, login page ...

Server:
- AuthControllerTrait now supports both session and Bearer token auth
  (resolves user from Authorization: Bearer header via shserv_sessions)

Vue client:
- Add api/auth.js module for access token management
- Inject Authorization: Bearer header in http.js
- Handle 401 in client.js: clear token + redirect to /auth/login
- New Pinia auth store (stores/auth.js): init, refreshToken, logout, hasPermission
- New usePermission composable
- Router guards: redirect unauthenticated to /login, permission-based route blocking
- New LoginPage.vue with gnexus-auth login button
- AppShell: conditional nav items by permission, user bar with logout
- main.js: initialize auth before mounting app
- MSW mocks: /auth/me, /auth/logout, /auth/refresh
- Fix AppShell.spec.js for Pinia + router setup

All 167 tests pass.

Fix abandoned scan overload: flock lock + connection abort detection + client timeout

Phase 3: Vue client UI for firmware catalog and device OTA updates

Phase 6: Rename webclient-vue to webclient, match legacy dist structure