feat: implement authentication flow

Backend:
- AppConfig, AppError, AppState modules for shared infrastructure
- JWT creation/verification with HS256 (jsonwebtoken crate)
- Session management: SHA-256 token hashing, DB-backed sessions
- Auth middleware: AuthUser, RequireHost, RequireAdmin extractors
- POST /api/v1/join: name-only registration, 4-digit PIN + bcrypt hash
- POST /api/v1/recover: PIN-based recovery with 3-attempt lockout (15 min)
- POST /api/v1/admin/login: bcrypt password verification
- DELETE /api/v1/session: logout (session invalidation)
- Migration 006: user PIN lockout columns (failed_pin_attempts, pin_locked_until)
- Models: Event, User (with role enum), Session with all CRUD methods

Frontend:
- api.ts: typed fetch wrapper with automatic Bearer token injection
- auth.ts: JWT/PIN localStorage management with Svelte store
- /join: name entry form with PIN display modal and copy button
- /recover: name + PIN recovery form with saved PIN pre-fill
- /feed: placeholder gallery page with logout
- Root layout: auth initialization on mount
- Root page: redirect to /join or /feed based on auth state

All responses use German language strings as specified.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/src/state.rs

@@ -0,0 +1,28 @@
+use sqlx::PgPool;
+use tokio::sync::broadcast;
+
+use crate::config::AppConfig;
+
+#[derive(Clone, Debug)]
+pub struct SseEvent {
+    pub event_type: String,
+    pub data: String,
+}
+
+#[derive(Clone)]
+pub struct AppState {
+    pub pool: PgPool,
+    pub config: AppConfig,
+    pub sse_tx: broadcast::Sender<SseEvent>,
+}
+
+impl AppState {
+    pub fn new(pool: PgPool, config: AppConfig) -> Self {
+        let (sse_tx, _) = broadcast::channel(256);
+        Self {
+            pool,
+            config,
+            sse_tx,
+        }
+    }
+}