M2-T02: add session/auth JSON API for the SPA

- GET /api/session (user + csrf_token, 401 when unauthenticated)
- POST /api/auth/login (sets HttpOnly session cookie; 401 on bad creds; no CSRF)
- POST /api/auth/logout (session+CSRF; revokes session, clears cookie; 204)
- POST /api/auth/password (session+CSRF; reuses change_password; 400 on failure; 204)
- reuses app/services/auth.py and shared require_session/require_csrf deps
- register router in app/main.py; regenerate openapi/
- tests/test_api_session.py

app/main.py

@@ -9,6 +9,7 @@ from sqlalchemy.orm import Session
 
 from app import models  # noqa: F401
 from app.api.routes.api.config import router as api_config_router
+from app.api.routes.api.session import router as api_session_router
 from app.api.routes.auth import router as auth_router
 from app.api.routes import pages, status
 from app.db import get_session_local
@@ -93,6 +94,7 @@ def create_app() -> FastAPI:
     app.include_router(auth_router)
     app.include_router(pages.router)
     app.include_router(api_config_router)
+    app.include_router(api_session_router)
     app.include_router(homeassistant_router)
     app.include_router(location_router)
     app.include_router(poo_router)