fix: security and reliability improvements

- Switch HTTPServer to ThreadingHTTPServer (concurrent request handling)
- Replace SHA-256 password hashing with bcrypt (auth.py, database.py)
- Add bcrypt to Dockerfile
- Move qBittorrent env vars to config.py
- Move _booklore_token state out of config into booklore.py
- Remove dead fitness_token variable in command.py
- Fix OpenAI call to use default SSL context instead of no-verify ctx
- Log swallowed budget fetch error in dashboard.py

gateway/database.py

@@ -2,9 +2,10 @@
 Platform Gateway — Database initialization and access.
 """
 
-import hashlib
 import sqlite3
 
+import bcrypt
+
 from config import (
     DB_PATH, TRIPS_URL, FITNESS_URL, INVENTORY_URL,
     MINIFLUX_URL, SHELFMARK_URL, SPOTIZERR_URL, BUDGET_URL,
@@ -124,7 +125,7 @@ def init_db():
     # Seed default admin user if empty
     user_count = c.execute("SELECT COUNT(*) FROM users").fetchone()[0]
     if user_count == 0:
-        pw_hash = hashlib.sha256("admin".encode()).hexdigest()
+        pw_hash = bcrypt.hashpw("admin".encode(), bcrypt.gensalt()).decode()
         c.execute("INSERT INTO users (username, password_hash, display_name) VALUES (?, ?, ?)",
                   ("admin", pw_hash, "Yusuf"))
         conn.commit()