Add login gate

Protect UI with PHP session login and secure APIs.

- Add login/logout pages and session auth helper
- Serve protected content from index.php
- Redirect index.html to index.php to prevent bypass
- Require auth for image list/upload APIs

Co-authored-by: Cursor <cursoragent@cursor.com>

auth/auth.php

@@ -0,0 +1,58 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Session-based auth gate (no DB).
+ * Required credentials:
+ *  - username: admin
+ *  - password: admin5004!
+ *
+ * NOTE: Password is stored as SHA-256 hash here (not plaintext).
+ */
+
+function dreamgirl_session_start(): void {
+  if (session_status() === PHP_SESSION_ACTIVE) return;
+
+  $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
+
+  // PHP 7.3+ supports samesite via array; older versions may ignore unknown keys.
+  session_set_cookie_params([
+    'lifetime' => 0,
+    'path' => '/',
+    'httponly' => true,
+    'samesite' => 'Lax',
+    'secure' => $secure,
+  ]);
+
+  session_start();
+}
+
+function dreamgirl_is_logged_in(): bool {
+  dreamgirl_session_start();
+  return isset($_SESSION['dreamgirl_user']) && $_SESSION['dreamgirl_user'] === 'admin';
+}
+
+function dreamgirl_check_credentials(string $username, string $password): bool {
+  if ($username !== 'admin') return false;
+
+  // sha256("admin5004!")
+  $expectedSha256 = 'adcda104b73b73f8cddf5c8047a6bc0e5e1388265ed4bf0f31f704c13cbc11b7';
+  $gotSha256 = hash('sha256', $password);
+
+  return hash_equals($expectedSha256, $gotSha256);
+}
+
+function dreamgirl_require_login_page(): void {
+  if (dreamgirl_is_logged_in()) return;
+  header('Location: /login.php');
+  exit;
+}
+
+function dreamgirl_require_login_json(): void {
+  if (dreamgirl_is_logged_in()) return;
+  http_response_code(401);
+  header('Content-Type: application/json; charset=utf-8');
+  echo json_encode(['ok' => false, 'error' => 'Unauthorized'], JSON_UNESCAPED_UNICODE);
+  exit;
+}
+