fix: OIDC auth flow, Vite proxy, and PostgreSQL query compat

- Add auth redirect in root layout for unauthenticated users
- Proxy OIDC routes (/login, /callback, /logout) through Vite dev server
- Strip Secure flag from OIDC cookies in dev mode (HTTP localhost)
- Disable retry on auth query to prevent stale cookie loops
- Fix SQLite .get()/.all()/.run() calls in category and global-item
  services for PostgreSQL compatibility
- Add userId scoping to category service functions
- Add OIDC error logging in auth middleware
- Apply linter auto-formatting across affected files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/server/services/thread.service.ts

@@ -1,5 +1,5 @@
 import { and, asc, desc, eq, max, sql } from "drizzle-orm";
-import { db as prodDb } from "../../db/index.ts";
+import type { db as prodDb } from "../../db/index.ts";
 import {
 	categories,
 	items,
@@ -15,11 +15,7 @@ import { getOrCreateUncategorized } from "./category.service.ts";
 
 type Db = typeof prodDb;
 
-export async function createThread(
-	db: Db,
-	userId: number,
-	data: CreateThread,
-) {
+export async function createThread(db: Db, userId: number, data: CreateThread) {
 	const [row] = await db
 		.insert(threads)
 		.values({ name: data.name, categoryId: data.categoryId, userId })
@@ -258,9 +254,7 @@ export async function deleteCandidate(
 	const [thread] = await db
 		.select({ id: threads.id })
 		.from(threads)
-		.where(
-			and(eq(threads.id, candidate.threadId), eq(threads.userId, userId)),
-		);
+		.where(and(eq(threads.id, candidate.threadId), eq(threads.userId, userId)));
 	if (!thread) return null;
 
 	await db.delete(threadCandidates).where(eq(threadCandidates.id, candidateId));