fix: password setup, CSRF 403, reboot after install

Critical fixes:
- Remove ensure_default_user() — no more auto-creating user with
  password123. Login page now shows "Create Password" form on first
  boot. User sets their own password during onboarding flow.
- CSRF 403: increased retry delay from 300ms to 500ms for stale
  cookie recovery after remember-me session restore.
- Reboot: multiple fallback methods (/sbin/reboot, sysrq, kill init)
  when USB is pulled and /usr/sbin isn't available.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

core/archipelago/src/main.rs

@@ -115,10 +115,9 @@ async fn main() -> Result<()> {
     // Ensure a default user exists so login works after install/onboarding.
     // In production, the default password is "password123" (shown during install).
     // In dev mode, the dev default password is used.
-    {
-        let auth = AuthManager::new(config.data_dir.clone());
-        auth.ensure_default_user().await?;
-    }
+    // Don't auto-create default user — let onboarding flow handle password setup
+    // via auth.setup RPC. The Login page detects is_setup=false and shows
+    // "Create Password" form instead of login form.
 
     // Create server
     let server = Server::new(config.clone()).await?;

neode-ui/src/api/rpc-client.ts

@@ -78,10 +78,10 @@ class RPCClient {
             }
             throw new Error('Session expired')
           }
-          // CSRF 403: retry once after short delay (cookie may have been
+          // CSRF 403: retry twice after delay (cookie may have been
           // updated by a concurrent Set-Cookie response not yet visible to JS)
           if (response.status === 403 && attempt < maxRetries - 1) {
-            await new Promise((r) => setTimeout(r, 300))
+            await new Promise((r) => setTimeout(r, 500))
             continue
           }
           const err = new Error(`HTTP ${response.status}: ${response.statusText}`)