fix: OIDC auth flow, Vite proxy, and PostgreSQL query compat

- Add auth redirect in root layout for unauthenticated users
- Proxy OIDC routes (/login, /callback, /logout) through Vite dev server
- Strip Secure flag from OIDC cookies in dev mode (HTTP localhost)
- Disable retry on auth query to prevent stale cookie loops
- Fix SQLite .get()/.all()/.run() calls in category and global-item
  services for PostgreSQL compatibility
- Add userId scoping to category service functions
- Add OIDC error logging in auth middleware
- Apply linter auto-formatting across affected files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/services/thread.service.test.ts

@@ -564,11 +564,7 @@ describe("Thread Service", () => {
 			expect(result.item?.productUrl).toBe("https://example.com/tent");
 
 			// Thread should be resolved
-			const resolved = await getThreadWithCandidates(
-				db,
-				userId,
-				thread.id,
-			);
+			const resolved = await getThreadWithCandidates(db, userId, thread.id);
 			expect(resolved?.status).toBe("resolved");
 			expect(resolved?.resolvedCandidateId).toBe(candidate.id);
 		});
@@ -585,12 +581,7 @@ describe("Thread Service", () => {
 			await resolveThread(db, userId, thread.id, candidate.id);
 
 			// Try to resolve again
-			const result = await resolveThread(
-				db,
-				userId,
-				thread.id,
-				candidate.id,
-			);
+			const result = await resolveThread(db, userId, thread.id, candidate.id);
 			expect(result.success).toBe(false);
 			expect(result.error).toBeDefined();
 		});
@@ -609,12 +600,7 @@ describe("Thread Service", () => {
 				categoryId: 1,
 			});
 
-			const result = await resolveThread(
-				db,
-				userId,
-				thread1.id,
-				candidate.id,
-			);
+			const result = await resolveThread(db, userId, thread1.id, candidate.id);
 			expect(result.success).toBe(false);
 			expect(result.error).toBeDefined();
 		});