feat: complete phase 12 auth and user-scoped history

[romanindev]

Completed Phase 12: Authentication and User-Scoped History.

This PR adds API and web authentication, scopes persisted analysis history to authenticated users, and updates project documentation to mark the planned roadmap as complete through Phase 12.

Changes

• Added API auth endpoints:
  • POST /auth/register
  • POST /auth/login
  • POST /auth/logout
  • GET /auth/me
• Added password hashing and httpOnly JWT session cookie.
• Added auth environment config:
  • AUTH_JWT_SECRET
  • AUTH_COOKIE_NAME
  • AUTH_COOKIE_SECURE
  • AUTH_COOKIE_MAX_AGE_MS
• Scoped persisted analyses by authenticated user_id.
• Kept logged-out debug analysis flow stateless.
• Added web login and registration pages.
• Added web header auth controls.
• Enabled cookie credentials in the shared Axios client.
• Added authenticated history panel with saved analysis reopen.
• Updated README, ROADMAP, PROGRESS, and workspace docs.

Verification

• pnpm --filter api test
• pnpm --filter api test:e2e
• pnpm lint
• pnpm build

Manual smoke tested:

• Register → analyze → history
• Logout → logged-out stateless flow
• Login → history restored
• Two users only see their own persisted analyses