feat: Implement Phase 4 Web Interface with bugfixes (v0.5.2)

## Phase 4: Web Interface Implementation

Implemented complete web interface with public and admin routes,
templates, CSS, and development authentication.

### Core Features

**Public Routes**:
- Homepage with recent published notes
- Note permalinks with microformats2
- Server-side rendering (Jinja2)

**Admin Routes**:
- Login via IndieLogin
- Dashboard with note management
- Create, edit, delete notes
- Protected with @require_auth decorator

**Development Authentication**:
- Dev login bypass for local testing (DEV_MODE only)
- Security safeguards per ADR-011
- Returns 404 when disabled

**Templates & Frontend**:
- Base layouts (public + admin)
- 8 HTML templates with microformats2
- Custom responsive CSS (114 lines)
- Error pages (404, 500)

### Bugfixes (v0.5.1 → v0.5.2)

1. **Cookie collision fix (v0.5.1)**:
   - Renamed auth cookie from "session" to "starpunk_session"
   - Fixed redirect loop between dev login and admin dashboard
   - Flask's session cookie no longer conflicts with auth

2. **HTTP 404 error handling (v0.5.1)**:
   - Update route now returns 404 for nonexistent notes
   - Delete route now returns 404 for nonexistent notes
   - Follows ADR-012 HTTP Error Handling Policy
   - Pattern consistency across all admin routes

3. **Note model enhancement (v0.5.2)**:
   - Exposed deleted_at field from database schema
   - Enables soft deletion verification in tests
   - Follows ADR-013 transparency principle

### Architecture

**New ADRs**:
- ADR-011: Development Authentication Mechanism
- ADR-012: HTTP Error Handling Policy
- ADR-013: Expose deleted_at Field in Note Model

**Standards Compliance**:
- Uses uv for Python environment
- Black formatted, Flake8 clean
- Follows git branching strategy
- Version incremented per versioning strategy

### Test Results

- 405/406 tests passing (99.75%)
- 87% code coverage
- All security tests passing
- Manual testing confirmed working

### Documentation

- Complete implementation reports in docs/reports/
- Architecture reviews in docs/reviews/
- Design documents in docs/design/
- CHANGELOG updated for v0.5.2

### Files Changed

**New Modules**:
- starpunk/dev_auth.py
- starpunk/routes/ (public, admin, auth, dev_auth)

**Templates**: 10 files (base, pages, admin, errors)
**Static**: CSS and optional JavaScript
**Tests**: 4 test files for routes and templates
**Docs**: 20+ architectural and implementation documents

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

starpunk/routes/dev_auth.py

@@ -0,0 +1,84 @@
+"""
+Development authentication routes for StarPunk
+
+WARNING: These routes provide instant authentication bypass for local development.
+They are ONLY registered when DEV_MODE=true and return 404 otherwise.
+
+This file contains routes that should never be accessible in production.
+"""
+
+from flask import Blueprint, abort, current_app, flash, redirect, url_for
+
+from starpunk.dev_auth import create_dev_session, is_dev_mode
+
+# Create blueprint
+bp = Blueprint("dev_auth", __name__, url_prefix="/dev")
+
+
+@bp.before_request
+def check_dev_mode():
+    """
+    Security guard: Block all dev auth routes if DEV_MODE is disabled
+
+    This executes before every request to dev auth routes.
+    Returns 404 if DEV_MODE is not explicitly enabled.
+
+    Returns:
+        None if DEV_MODE is enabled, 404 abort otherwise
+
+    Security:
+        This is the primary safeguard preventing dev auth in production.
+        Even if routes are accidentally registered, they will return 404.
+    """
+    if not is_dev_mode():
+        # Return 404 - dev routes don't exist in production
+        abort(404)
+
+
+@bp.route("/login", methods=["GET", "POST"])
+def dev_login():
+    """
+    Instant development login (no authentication required)
+
+    WARNING: This creates an authenticated session WITHOUT any verification.
+    Only accessible when DEV_MODE=true.
+
+    Returns:
+        Redirect to admin dashboard with session cookie set
+
+    Sets:
+        session cookie (HttpOnly, NOT Secure in dev mode, 30 day expiry)
+
+    Logs:
+        WARNING: Logs that dev authentication was used
+
+    Security:
+        - Blocked by before_request if DEV_MODE=false
+        - Logs warning on every use
+        - Creates session for DEV_ADMIN_ME identity
+    """
+    # Get configured dev admin identity
+    me = current_app.config.get("DEV_ADMIN_ME")
+
+    if not me:
+        flash("DEV_MODE misconfiguration: DEV_ADMIN_ME not set", "error")
+        return redirect(url_for("auth.login_form"))
+
+    # Create session without authentication
+    session_token = create_dev_session(me)
+
+    # Create response with redirect
+    response = redirect(url_for("admin.dashboard"))
+
+    # Set session cookie (NOT secure in dev mode)
+    response.set_cookie(
+        "starpunk_session",
+        session_token,
+        httponly=True,
+        secure=False,  # Allow HTTP in development
+        samesite="Lax",
+        max_age=30 * 24 * 60 * 60,  # 30 days
+    )
+
+    flash("DEV MODE: Logged in without authentication", "warning")
+    return response