Fix: exempt /api/setup/* from enforce_auth so setup wizard works on fresh install

The setup wizard runs before any account exists, but the installer's
setup_cell.py creates auth_users.json with an admin account first.
This meant enforce_auth was active by the time the browser hit /setup,
blocking all /api/setup/* calls with 401. The CSRF hook already exempted
/api/setup/* — auth enforcement now matches.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/app.py

@@ -199,8 +199,8 @@ def enforce_auth():
     backward-compatibility with pre-auth test suites.
     """
     path = request.path
-    # Always allow non-API paths and auth namespace
+    # Always allow non-API paths, auth namespace, and setup namespace
-    if not path.startswith('/api/') or path.startswith('/api/auth/'):
+    if not path.startswith('/api/') or path.startswith('/api/auth/') or path.startswith('/api/setup/'):
         return None
     # Cell peer-sync endpoints authenticate via source IP + WG pubkey — not session
     if path.startswith('/api/cells/peer-sync/'):

tests/test_route_protection.py

@@ -128,6 +128,12 @@ def test_anon_blocked_from_peer_routes(anon_client):
     assert r.status_code == 401
 
 
+def test_setup_routes_bypass_auth(anon_client):
+    """/api/setup/* must be reachable without a session — setup runs before any account exists."""
+    r = anon_client.get('/api/setup/status')
+    assert r.status_code != 401
+
+
 def test_anon_blocked_from_peer_dashboard(anon_client):
     r = anon_client.get('/api/peer/dashboard')
     assert r.status_code == 401