feat: add Vitest testing framework, fix proxy auth stripping and 401 handling

- Set up Vitest with jsdom for client tests, node for server tests
- Add tests for auth service, proxy handler, API client, and profiles store
- Strip Authorization header in proxy to prevent web-ui token leaking to gateway
- Distinguish local BFF vs proxied gateway 401s to avoid false logouts
- Remove unused hero.png asset

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/client/src/api/client.ts

@@ -41,8 +41,13 @@ export async function request<T>(path: string, options: RequestInit = {}): Promi
 
   const res = await fetch(url, { ...options, headers })
 
-  // Global 401 handler — clear auth and redirect to login
-  if (res.status === 401) {
+  // Global 401 handler — only redirect to login for local BFF endpoints
+  // Proxied gateway requests should not trigger logout
+  const isLocalBff = !path.startsWith('/api/hermes/v1/') &&
+    !path.startsWith('/api/hermes/jobs') &&
+    !path.startsWith('/api/hermes/skills')
+
+  if (res.status === 401 && isLocalBff) {
     clearApiKey()
     if (router.currentRoute.value.name !== 'login') {
       router.replace({ name: 'login' })