fix: security and reliability improvements

- Switch HTTPServer to ThreadingHTTPServer (concurrent request handling)
- Replace SHA-256 password hashing with bcrypt (auth.py, database.py)
- Add bcrypt to Dockerfile
- Move qBittorrent env vars to config.py
- Move _booklore_token state out of config into booklore.py
- Remove dead fitness_token variable in command.py
- Fix OpenAI call to use default SSL context instead of no-verify ctx
- Log swallowed budget fetch error in dashboard.py

gateway/server.py

@@ -8,7 +8,9 @@ This file is thin routing only. All logic lives in submodules.
 
 import json
 from datetime import datetime
-from http.server import HTTPServer, BaseHTTPRequestHandler
+from http.server import BaseHTTPRequestHandler
+from socketserver import ThreadingMixIn
+from http.server import HTTPServer
 
 from config import (
     PORT, TRIPS_API_TOKEN, KINDLE_EMAIL_1, KINDLE_EMAIL_2,
@@ -337,7 +339,10 @@ def main():
     print(f"[Gateway] Services: {_proxy_module.SERVICE_MAP}")
     print(f"[Gateway] Listening on port {PORT}")
 
-    server = HTTPServer(("0.0.0.0", PORT), GatewayHandler)
+    class ThreadingHTTPServer(ThreadingMixIn, HTTPServer):
+        daemon_threads = True
+
+    server = ThreadingHTTPServer(("0.0.0.0", PORT), GatewayHandler)
     server.serve_forever()