fix(security): owner auth gate, OAuth state cookie binding, 0600 token perms

- Add OWNER_SECRET-based session: signed HMAC cookie, /api/auth/owner login,
  requireOwner middleware. All Tesla routes refuse 401 without it.
- Bind OAuth state to a SameSite=Lax httpOnly cookie at /start, validate
  match in /callback with constant-time compare. Refuses unmatched callbacks.
- Token store now mkdir 0700, writeFile + rename atomic, mode 0600 with
  defensive chmod. Owner-only on disk.
- VIN masked to last 4 in responses; partner-register no longer echoes raw
  Tesla body to clients; coord bounds checked on send-to-nav.
- Client: useTesla also tracks owner status; Connect Tesla button opens an
  OwnerLoginModal when not authenticated, then continues to Tesla OAuth.

Conscious deferrals:
- Explicit CSRF tokens on POST routes: mitigated by SameSite=Lax cookies
  + same-origin CORS. Will revisit if cross-origin clients land.
- At-rest token encryption: deferred for single-user app; tokens are on a
  0700 Dokku volume readable only by the app uid. Will add AES-GCM if we
  multi-tenant.

server/index.ts

@@ -11,6 +11,8 @@ import { logger } from './lib/logger.js';
 import chatRoutes from './routes/chat.js';
 import tripsRoutes from './routes/trips.js';
 import teslaRoutes from './routes/tesla.js';
+import ownerRoutes from './routes/owner.js';
+import { warnIfMisconfigured as warnOwnerAuth } from './lib/ownerAuth.js';
 import { createOptionalAuth } from './lib/auth.js';
 
 const app = express();
@@ -38,8 +40,10 @@ if (auth) {
   logger.info('Auth disabled — set AUTH_SECRET to enable user accounts');
 }
 
-// Tesla integration: serves the partner public key + OAuth callback. Mounted
-// at the app root because Tesla's well-known path is fixed.
+// Owner auth + Tesla integration. Tesla routes are owner-gated except the
+// public .well-known partner-key path. Owner routes handle login/logout.
+warnOwnerAuth();
+app.use(ownerRoutes);
 app.use(teslaRoutes);
 
 app.use('/api', chatRoutes);