Add SvelteKit frontend with Tailwind CSS (Phase 4)

Build a modern, calm web UI using SvelteKit 5 + Tailwind CSS v4.

Pages:
- Setup wizard (first-run admin account creation)
- Login with JWT token management and auto-refresh
- Dashboard with stats cards and recent events timeline
- Servers: add/delete Immich server connections with validation
- Trackers: create album trackers with album picker, event type
  selection, target assignment, and scan interval config
- Templates: Jinja2 message template editor with live preview
- Targets: Telegram and webhook notification targets with test
- Users: admin-only user management (create/delete)

Architecture:
- Reactive auth state with Svelte 5 runes
- API client with JWT auth, auto-refresh on 401
- Static adapter builds to 153KB for embedding in FastAPI
- Vite proxy config for dev server -> backend API
- Sidebar layout with navigation and user info

Also adds Rule 2 to primary plan: perform detailed code review
after completing each phase.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

frontend/src/lib/api.ts

@@ -0,0 +1,87 @@
+/**
+ * API client with JWT auth for the Immich Watcher backend.
+ */
+
+const API_BASE = '/api';
+
+function getToken(): string | null {
+	if (typeof window === 'undefined') return null;
+	return localStorage.getItem('access_token');
+}
+
+export function setTokens(access: string, refresh: string) {
+	localStorage.setItem('access_token', access);
+	localStorage.setItem('refresh_token', refresh);
+}
+
+export function clearTokens() {
+	localStorage.removeItem('access_token');
+	localStorage.removeItem('refresh_token');
+}
+
+export function isAuthenticated(): boolean {
+	return !!getToken();
+}
+
+async function refreshAccessToken(): Promise<boolean> {
+	const refreshToken = localStorage.getItem('refresh_token');
+	if (!refreshToken) return false;
+
+	try {
+		const res = await fetch(`${API_BASE}/auth/refresh`, {
+			method: 'POST',
+			headers: { 'Content-Type': 'application/json' },
+			body: JSON.stringify({ refresh_token: refreshToken })
+		});
+		if (res.ok) {
+			const data = await res.json();
+			setTokens(data.access_token, data.refresh_token);
+			return true;
+		}
+	} catch {
+		// ignore
+	}
+	return false;
+}
+
+export async function api<T = any>(
+	path: string,
+	options: RequestInit = {}
+): Promise<T> {
+	const token = getToken();
+	const headers: Record<string, string> = {
+		'Content-Type': 'application/json',
+		...(options.headers as Record<string, string>)
+	};
+	if (token) {
+		headers['Authorization'] = `Bearer ${token}`;
+	}
+
+	let res = await fetch(`${API_BASE}${path}`, { ...options, headers });
+
+	// Try token refresh on 401
+	if (res.status === 401 && token) {
+		const refreshed = await refreshAccessToken();
+		if (refreshed) {
+			headers['Authorization'] = `Bearer ${getToken()}`;
+			res = await fetch(`${API_BASE}${path}`, { ...options, headers });
+		}
+	}
+
+	if (res.status === 401) {
+		clearTokens();
+		if (typeof window !== 'undefined') {
+			window.location.href = '/login';
+		}
+		throw new Error('Unauthorized');
+	}
+
+	if (res.status === 204) return undefined as T;
+
+	if (!res.ok) {
+		const err = await res.json().catch(() => ({ detail: res.statusText }));
+		throw new Error(err.detail || `HTTP ${res.status}`);
+	}
+
+	return res.json();
+}

frontend/src/lib/assets/favicon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="107" height="128" viewBox="0 0 107 128"><title>svelte-logo</title><path d="M94.157 22.819c-10.4-14.885-30.94-19.297-45.792-9.835L22.282 29.608A29.92 29.92 0 0 0 8.764 49.65a31.5 31.5 0 0 0 3.108 20.231 30 30 0 0 0-4.477 11.183 31.9 31.9 0 0 0 5.448 24.116c10.402 14.887 30.942 19.297 45.791 9.835l26.083-16.624A29.92 29.92 0 0 0 98.235 78.35a31.53 31.53 0 0 0-3.105-20.232 30 30 0 0 0 4.474-11.182 31.88 31.88 0 0 0-5.447-24.116" style="fill:#ff3e00"/><path d="M45.817 106.582a20.72 20.72 0 0 1-22.237-8.243 19.17 19.17 0 0 1-3.277-14.503 18 18 0 0 1 .624-2.435l.49-1.498 1.337.981a33.6 33.6 0 0 0 10.203 5.098l.97.294-.09.968a5.85 5.85 0 0 0 1.052 3.878 6.24 6.24 0 0 0 6.695 2.485 5.8 5.8 0 0 0 1.603-.704L69.27 76.28a5.43 5.43 0 0 0 2.45-3.631 5.8 5.8 0 0 0-.987-4.371 6.24 6.24 0 0 0-6.698-2.487 5.7 5.7 0 0 0-1.6.704l-9.953 6.345a19 19 0 0 1-5.296 2.326 20.72 20.72 0 0 1-22.237-8.243 19.17 19.17 0 0 1-3.277-14.502 17.99 17.99 0 0 1 8.13-12.052l26.081-16.623a19 19 0 0 1 5.3-2.329 20.72 20.72 0 0 1 22.237 8.243 19.17 19.17 0 0 1 3.277 14.503 18 18 0 0 1-.624 2.435l-.49 1.498-1.337-.98a33.6 33.6 0 0 0-10.203-5.1l-.97-.294.09-.968a5.86 5.86 0 0 0-1.052-3.878 6.24 6.24 0 0 0-6.696-2.485 5.8 5.8 0 0 0-1.602.704L37.73 51.72a5.42 5.42 0 0 0-2.449 3.63 5.79 5.79 0 0 0 .986 4.372 6.24 6.24 0 0 0 6.698 2.486 5.8 5.8 0 0 0 1.602-.704l9.952-6.342a19 19 0 0 1 5.295-2.328 20.72 20.72 0 0 1 22.237 8.242 19.17 19.17 0 0 1 3.277 14.503 18 18 0 0 1-8.13 12.053l-26.081 16.622a19 19 0 0 1-5.3 2.328" style="fill:#fff"/></svg>

frontend/src/lib/auth.svelte.ts

@@ -0,0 +1,63 @@
+/**
+ * Reactive auth state using Svelte 5 runes.
+ */
+
+import { api, setTokens, clearTokens, isAuthenticated } from './api';
+
+interface User {
+	id: number;
+	username: string;
+	role: string;
+}
+
+let user = $state<User | null>(null);
+let loading = $state(true);
+
+export function getAuth() {
+	return {
+		get user() { return user; },
+		get loading() { return loading; },
+		get isAdmin() { return user?.role === 'admin'; },
+	};
+}
+
+export async function loadUser() {
+	if (!isAuthenticated()) {
+		user = null;
+		loading = false;
+		return;
+	}
+	try {
+		user = await api<User>('/auth/me');
+	} catch {
+		user = null;
+		clearTokens();
+	}
+	loading = false;
+}
+
+export async function login(username: string, password: string) {
+	const data = await api<{ access_token: string; refresh_token: string }>('/auth/login', {
+		method: 'POST',
+		body: JSON.stringify({ username, password })
+	});
+	setTokens(data.access_token, data.refresh_token);
+	await loadUser();
+}
+
+export async function setup(username: string, password: string) {
+	const data = await api<{ access_token: string; refresh_token: string }>('/auth/setup', {
+		method: 'POST',
+		body: JSON.stringify({ username, password })
+	});
+	setTokens(data.access_token, data.refresh_token);
+	await loadUser();
+}
+
+export function logout() {
+	clearTokens();
+	user = null;
+	if (typeof window !== 'undefined') {
+		window.location.href = '/login';
+	}
+}

frontend/src/lib/components/Card.svelte

@@ -0,0 +1,10 @@
+<script lang="ts">
+	let { children, class: className = '' } = $props<{
+		children: import('svelte').Snippet;
+		class?: string;
+	}>();
+</script>
+
+<div class="bg-[var(--color-card)] border border-[var(--color-border)] rounded-lg p-4 {className}">
+	{@render children()}
+</div>

frontend/src/lib/components/PageHeader.svelte

@@ -0,0 +1,19 @@
+<script lang="ts">
+	let { title, description = '', children } = $props<{
+		title: string;
+		description?: string;
+		children?: import('svelte').Snippet;
+	}>();
+</script>
+
+<div class="flex items-center justify-between mb-6">
+	<div>
+		<h2 class="text-2xl font-semibold tracking-tight">{title}</h2>
+		{#if description}
+			<p class="text-sm text-[var(--color-muted-foreground)] mt-1">{description}</p>
+		{/if}
+	</div>
+	{#if children}
+		{@render children()}
+	{/if}
+</div>

frontend/src/lib/index.ts

@@ -0,0 +1 @@
+// place files you want to import through the `$lib` alias in this folder.