feat: container orchestration, branding overhaul, onboarding logging

Container orchestration:
- Health monitor with crash recovery and auto-restart
- Doctor service (periodic health checks via systemd timer)
- Reconcile service (desired-state convergence)
- Stack-aware install/uninstall with dependency tracking

Branding:
- Custom GRUB background (designer artwork, 1024x768)
- ISOLINUX boot menu: centered, orange accents, clean labels
- Terminal banners: adaptive width, basic ANSI colors, fits 80-col
- Removed auto-generated splash scripts (designer provides assets)
- GRUB theme: lowercase branding

Frontend:
- 401 handler clears localStorage immediately (prevents cascade)

Backend:
- Onboarding/auth logging ([onboarding] tag in journalctl)
- Cookie Secure flag logging for debugging HTTP/HTTPS issues

ISO fixes:
- Install log saved before unmount (was silently failing)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

neode-ui/src/api/rpc-client.ts

@@ -62,6 +62,11 @@ class RPCClient {
           // Use a single shared timeout to prevent redirect storms when
           // multiple parallel requests all get 401 at once
           if (response.status === 401 && method !== 'auth.login') {
+            // Clear stale auth immediately — stops App.vue watcher from
+            // firing more requests and prevents the router from
+            // optimistically navigating to /dashboard
+            try { localStorage.removeItem('neode-auth') } catch { /* noop */ }
+
             const isOnboarding = window.location.pathname.startsWith('/onboarding')
             console.warn(`[RPC] 401 on ${method} | path=${window.location.pathname} | onboarding=${isOnboarding} | redirecting=${RPCClient._sessionExpiredRedirecting}`)
             if (!isOnboarding && !RPCClient._sessionExpiredRedirecting) {