feat(auth): AuthSessionController — POST /api/auth/login + /api/auth/logout with Spring Session JDBC

- Expose AuthenticationManager bean in SecurityConfig
- Permit /api/auth/login; return 401 (not 302) for unauthenticated requests
- Remove httpBasic and formLogin from SecurityConfig

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/resources/application.yaml

@@ -38,7 +38,6 @@ spring:
           starttls:
             enable: true
 
-spring:
   session:
     store-type: jdbc
     timeout: 28800s  # 8 h idle timeout (MaxInactiveIntervalInSeconds)