fix: OIDC auth flow, Vite proxy, and PostgreSQL query compat

- Add auth redirect in root layout for unauthenticated users
- Proxy OIDC routes (/login, /callback, /logout) through Vite dev server
- Strip Secure flag from OIDC cookies in dev mode (HTTP localhost)
- Disable retry on auth query to prevent stale cookie loops
- Fix SQLite .get()/.all()/.run() calls in category and global-item
  services for PostgreSQL compatibility
- Add userId scoping to category service functions
- Add OIDC error logging in auth middleware
- Apply linter auto-formatting across affected files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/services/profile.service.test.ts

@@ -72,7 +72,10 @@ describe("Profile Service", () => {
 
 		it("returns only public setups, not private ones", async () => {
 			// Create one public and one private setup
-			const pub = await createSetup(db, userId, { name: "Public Setup", isPublic: true });
+			const pub = await createSetup(db, userId, {
+				name: "Public Setup",
+				isPublic: true,
+			});
 			const priv = await createSetup(db, userId, { name: "Private Setup" });
 
 			const profile = await getPublicProfile(db, userId);