fix: auth redirect bug + cookie Secure + migration multi-statements

- fetchMe: handle ALL non-ok responses (not just 401) by calling tryRefresh
  → avoids user=null when backend returns 404/500/any error
- DOMContentLoaded guard: check isAuthenticated instead of localStorage token
  → immediate redirect if fetchMe+tryRefresh both fail, no more flash of dashboard
- Cookie Secure flag: check X-Forwarded-Proto header for Traefik/proxy setup
  → cookie gets Secure=true when behind TLS-terminating reverse proxy
- db.go migrate(): split SQL by ; and exec each statement separately
  → fixes SQLite multi-statement limitation (only first stmt was executed)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/js/app.js

@@ -118,7 +118,8 @@ document.addEventListener('alpine:init', () => {
       const res = await apiFetch('/api/auth/me')
       if (res.ok) {
         this.user = await res.json()
-      } else if (res.status === 401) {
+      } else {
+        // Token expiré, invalide, ou toute autre erreur → tenter un refresh
         await this.tryRefresh()
       }
     },
@@ -918,8 +919,8 @@ document.addEventListener('DOMContentLoaded', async () => {
   const publicPages = ['login', 'install', 'index', '']
   const currentPage = window.location.pathname.replace(/^\/|\.html$/g, '') || 'index'
 
-  // Guard rapide (synchrone) : si pas de token du tout, redirect immédiat
-  if (!publicPages.includes(currentPage) && !localStorage.getItem('pxp_token')) {
+  // Guard auth : si pas authentifié (token absent ou invalid/expiré), redirect login
+  if (!publicPages.includes(currentPage) && !Alpine.store('auth').isAuthenticated) {
     window.location.href = '/login.html'
     return
   }