feat: replace admin auth with cookie-based profile picker

Remove all authentication (login, sessions, bcrypt, itsdangerous) since
the app runs on a private homelab LAN. Replace with a profile picker
landing page and cookie-based profile selection (1-year expiry).

- Add Alembic migration to drop password_hash/is_admin columns
- Delete auth service, auth routes, login template, and auth tests
- Rewrite app/utils/auth.py with NoProfileSelectedError and
  require_active_profile dependency
- Add profile creation flow (GET/POST /profiles/create)
- Rewrite home page as profile picker with card layout
- Update all route files to use profile dependency instead of admin auth
- Remove bcrypt and itsdangerous from requirements
- Remove admin_username/admin_password from config
- Update all tests for new profile-based access model

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/test_profile_routes.py

@@ -2,25 +2,34 @@
 
 from fastapi.testclient import TestClient
 
+from tests.conftest import set_profile_cookie
+
 
 class TestProfileSwitcher:
     """Tests for POST /profiles/switch."""
 
-    def test_switch_profile_requires_auth(self, client: TestClient) -> None:
-        """POST /profiles/switch should require admin login."""
+    def test_switch_profile_redirects_to_workouts(self, client: TestClient) -> None:
+        """POST /profiles/switch should set cookie and redirect to /workouts."""
         response = client.post(
             "/profiles/switch",
             data={"profile_id": "1"},
             follow_redirects=False,
         )
-        # Should redirect to login or return 401
-        assert response.status_code in (401, 303)
+        assert response.status_code == 303
+        assert response.headers["location"] == "/workouts"
 
 
 class TestProfileList:
     """Tests for GET /profiles."""
 
-    def test_profiles_page_requires_auth(self, client: TestClient) -> None:
-        """GET /profiles should require admin login."""
+    def test_profiles_page_requires_profile(self, client: TestClient) -> None:
+        """GET /profiles should redirect to / without profile cookie."""
         response = client.get("/profiles", follow_redirects=False)
-        assert response.status_code in (401, 303)
+        assert response.status_code == 302
+        assert response.headers["location"] == "/"
+
+    def test_profiles_page_with_profile(self, client: TestClient) -> None:
+        """GET /profiles should succeed with a valid profile cookie."""
+        set_profile_cookie(client, 1)
+        response = client.get("/profiles")
+        assert response.status_code == 200