Add server, routes, views, CLI, CSS, and integration tests

- Server factory with Fastify plugins (JWT, cookie, multipart, formbody, static)
- Auth middleware: requireAuth preHandler (401 for API, redirect for pages)
- Auth API routes: POST /api/v1/auth/login, POST /api/v1/auth/logout
- File API routes: GET/POST /api/v1/files, DELETE /api/v1/files/:id
- Page routes: /, /login, /logout, /upload, /files, /files/:id/delete, /f/:id, /f/:id/raw
- HTML views: layout, login, upload, file-list, file-view, not-found
- CLI register-user script
- public/style.css dark theme
- Test helpers: createTestApp, loginAs, buildMultipart
- Integration tests for auth API, file API, and page routes (51 tests passing)
- Update CLAUDE.md with red/green TDD and commit instructions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/integration/auth-api.test.ts

@@ -0,0 +1,101 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { createTestApp, type TestContext } from '../helpers/setup.ts';
+import { createUser } from '../../src/db/users.ts';
+import { hashPassword } from '../../src/services/auth.ts';
+
+describe('POST /api/v1/auth/login', () => {
+  let ctx: TestContext;
+
+  beforeEach(async () => {
+    ctx = createTestApp();
+    const hash = await hashPassword('secret');
+    createUser(ctx.db, { username: 'alice', passwordHash: hash });
+  });
+
+  afterEach(async () => {
+    await ctx.app.close();
+    ctx.cleanup();
+  });
+
+  it('returns 200 and sets cookie on valid credentials', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'alice', password: 'secret' }),
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toEqual({ ok: true });
+    expect(res.headers['set-cookie']).toMatch(/token=/);
+  });
+
+  it('returns 401 on wrong password', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'alice', password: 'wrong' }),
+    });
+    expect(res.statusCode).toBe(401);
+  });
+
+  it('returns 401 on unknown user', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'ghost', password: 'x' }),
+    });
+    expect(res.statusCode).toBe(401);
+  });
+
+  it('returns 400 when fields are missing', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'alice' }),
+    });
+    expect(res.statusCode).toBe(400);
+  });
+});
+
+describe('POST /api/v1/auth/logout', () => {
+  let ctx: TestContext;
+  let token: string;
+
+  beforeEach(async () => {
+    ctx = createTestApp();
+    const hash = await hashPassword('secret');
+    createUser(ctx.db, { username: 'alice', passwordHash: hash });
+
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'alice', password: 'secret' }),
+    });
+    const cookie = res.headers['set-cookie'] as string;
+    token = cookie.split(';')[0].replace('token=', '');
+  });
+
+  afterEach(async () => {
+    await ctx.app.close();
+    ctx.cleanup();
+  });
+
+  it('clears cookie on logout', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/logout',
+      cookies: { token },
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.headers['set-cookie']).toMatch(/token=;/);
+  });
+
+  it('returns 401 without cookie', async () => {
+    const res = await ctx.app.inject({ method: 'POST', url: '/api/v1/auth/logout' });
+    expect(res.statusCode).toBe(401);
+  });
+});