feat: replace admin auth with cookie-based profile picker

Remove all authentication (login, sessions, bcrypt, itsdangerous) since
the app runs on a private homelab LAN. Replace with a profile picker
landing page and cookie-based profile selection (1-year expiry).

- Add Alembic migration to drop password_hash/is_admin columns
- Delete auth service, auth routes, login template, and auth tests
- Rewrite app/utils/auth.py with NoProfileSelectedError and
  require_active_profile dependency
- Add profile creation flow (GET/POST /profiles/create)
- Rewrite home page as profile picker with card layout
- Update all route files to use profile dependency instead of admin auth
- Remove bcrypt and itsdangerous from requirements
- Remove admin_username/admin_password from config
- Update all tests for new profile-based access model

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/routes/exercises.py

@@ -1,6 +1,6 @@
 """Exercise browser routes with HTMX search/filter support.
 
-All filtering is done via HTMX partial responses — no JSON APIs.
+All filtering is done via HTMX partial responses -- no JSON APIs.
 """
 
 import structlog
@@ -11,7 +11,7 @@ from sqlmodel import Session
 from app.database import get_db_session
 from app.models.user import User
 from app.services.exercise_service import ExerciseService
-from app.utils.auth import get_current_admin_user
+from app.utils.auth import require_active_profile
 
 logger = structlog.get_logger(__name__)
 
@@ -22,18 +22,9 @@ router = APIRouter(prefix="/exercises", tags=["exercises"])
 async def exercise_browser(
     request: Request,
     session: Session = Depends(get_db_session),
-    admin: User = Depends(get_current_admin_user),
+    profile: User = Depends(require_active_profile),
 ):
-    """Render the exercise browser page with all exercises.
-
-    Args:
-        request: The incoming HTTP request.
-        session: Database session.
-        admin: The authenticated admin user.
-
-    Returns:
-        Rendered exercise browser page.
-    """
+    """Render the exercise browser page with all exercises."""
     exercise_service = ExerciseService(session)
     exercises = exercise_service.list_exercises()
     workout_days = exercise_service.list_workout_days()
@@ -47,7 +38,6 @@ async def exercise_browser(
         "exercises": exercises,
         "workout_days": workout_days,
         "muscle_groups": muscle_groups,
-        "admin": admin,
     })
 
 
@@ -55,24 +45,11 @@ async def exercise_browser(
 async def exercise_search(
     request: Request,
     session: Session = Depends(get_db_session),
-    admin: User = Depends(get_current_admin_user),
+    profile: User = Depends(require_active_profile),
     workout_day: str = Query(default="", alias="workout_day"),
     muscle_group: str = Query(default="", alias="muscle_group"),
 ):
-    """Return filtered exercise list as an HTMX partial.
-
-    Called via hx-get from the exercise browser filter dropdowns.
-
-    Args:
-        request: The incoming HTTP request.
-        session: Database session.
-        admin: The authenticated admin user.
-        workout_day: Filter by workout day name.
-        muscle_group: Filter by muscle group.
-
-    Returns:
-        Rendered exercise list partial HTML.
-    """
+    """Return filtered exercise list as an HTMX partial."""
     exercise_service = ExerciseService(session)
     exercises = exercise_service.list_exercises(
         workout_day=workout_day or None,