Add session-based authentication with login/logout

- Users and sessions tables (Argon2 password hashing, SHA-256 session tokens)
- Server hooks validate session cookie on every request
- (app) routes redirect to /login if not authenticated
- Login page with email/password, styled matching budget app
- Logout via POST form action (invalidates session)
- User display name and sign out button in header
- create-user CLI script: npm run create-user <email> <password> [name]
- 30-day sessions with auto-refresh after 15 days

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/hooks.server.ts

@@ -0,0 +1,29 @@
+import type { Handle } from '@sveltejs/kit';
+import { validateSession, setSessionCookie, deleteSessionCookie } from '$lib/server/auth/index.js';
+
+export const handle: Handle = async ({ event, resolve }) => {
+	const token = event.cookies.get('session');
+
+	if (token) {
+		const { session, user } = await validateSession(token);
+
+		if (session && user) {
+			event.locals.user = user;
+			event.locals.session = session;
+
+			// Refresh cookie if session was extended
+			if (session.fresh) {
+				setSessionCookie(event, token, session.expiresAt);
+			}
+		} else {
+			event.locals.user = null;
+			event.locals.session = null;
+			deleteSessionCookie(event);
+		}
+	} else {
+		event.locals.user = null;
+		event.locals.session = null;
+	}
+
+	return resolve(event);
+};