fix: security and reliability improvements

- Switch HTTPServer to ThreadingHTTPServer (concurrent request handling)
- Replace SHA-256 password hashing with bcrypt (auth.py, database.py)
- Add bcrypt to Dockerfile
- Move qBittorrent env vars to config.py
- Move _booklore_token state out of config into booklore.py
- Remove dead fitness_token variable in command.py
- Fix OpenAI call to use default SSL context instead of no-verify ctx
- Log swallowed budget fetch error in dashboard.py

gateway/auth.py

@@ -2,10 +2,16 @@
 Platform Gateway — Auth handlers (login, logout, register).
 """
 
+"""
+NOTE: Passwords are hashed with bcrypt. Any existing SHA-256 hashed passwords
+in the database will no longer work. The admin user is re-seeded on first boot
+if no users exist. Other users need manual password reset.
+"""
 import json
-import hashlib
 import sqlite3
 
+import bcrypt
+
 from database import get_db
 from sessions import create_session, delete_session
 
@@ -24,14 +30,12 @@ def handle_login(handler, body):
         handler._send_json({"error": "Username and password required"}, 400)
         return
 
-    pw_hash = hashlib.sha256(password.encode()).hexdigest()
-
     conn = get_db()
-    user = conn.execute("SELECT * FROM users WHERE username = ? AND password_hash = ?",
-                        (username, pw_hash)).fetchone()
+    user = conn.execute("SELECT * FROM users WHERE username = ?",
+                        (username,)).fetchone()
     conn.close()
 
-    if not user:
+    if not user or not bcrypt.checkpw(password.encode(), user["password_hash"].encode()):
         handler._send_json({"error": "Invalid credentials"}, 401)
         return
 
@@ -76,7 +80,7 @@ def handle_register(handler, body):
         handler._send_json({"error": "Username and password required"}, 400)
         return
 
-    pw_hash = hashlib.sha256(password.encode()).hexdigest()
+    pw_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
 
     conn = get_db()
     try: