feat(gui): custom login page, session-based auth

Replace nginx auth_basic + HTTP Basic Auth with a styled Flask login form.
- Session-based authentication (cookie, session.permanent)
- Custom login page with logo, error state, clean form design
- CSRF check skipped for /login route
- Logout button in sidebar footer
- nginx auth_basic removed; ADMIN_PASSWORD restored in .env

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

gui/static/style.css

@@ -82,6 +82,27 @@ body {
 .sidebar-nav a.active { background: #eff4ff; color: var(--accent); }
 .sidebar-nav a.active svg { color: var(--accent); }
 
+.sidebar-footer {
+  margin-top: auto;
+  padding: 12px 10px;
+  border-top: 1px solid var(--border);
+}
+
+.logout-btn {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 8px 12px;
+  border-radius: 8px;
+  font-size: 13px;
+  font-weight: 500;
+  color: var(--text-muted);
+  text-decoration: none;
+  transition: background .15s, color .15s;
+}
+
+.logout-btn:hover { background: #fee2e2; color: #dc2626; }
+
 /* ─── Layout ────────────────────────────────────────────────── */
 .layout { margin-left: var(--sidebar-w); flex: 1; display: flex; flex-direction: column; }
 main { padding: 28px 32px; flex: 1; max-width: 1400px; width: 100%; }