Add first-run setup flow for superadmin creation

When no users exist in the database, the login page shows a setup
form to create the initial superadmin account. The /api/setup
endpoint is locked once the first user is created.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/server.js

@@ -468,6 +468,32 @@ async function getRecordName(table, id) {
 // Clear name cache periodically (every 60s)
 setInterval(() => { Object.keys(_nameCache).forEach(k => delete _nameCache[k]); }, 60000);
 
+// ─── SETUP ROUTES ───────────────────────────────────────────────
+
+app.get('/api/setup/status', (req, res) => {
+  const count = authDb.prepare('SELECT COUNT(*) as cnt FROM auth_credentials').get().cnt;
+  res.json({ needsSetup: count === 0 });
+});
+
+app.post('/api/setup', async (req, res) => {
+  const count = authDb.prepare('SELECT COUNT(*) as cnt FROM auth_credentials').get().cnt;
+  if (count > 0) return res.status(403).json({ error: 'Setup already completed' });
+
+  const { name, email, password } = req.body;
+  if (!name || !email || !password) return res.status(400).json({ error: 'Name, email, and password are required' });
+
+  try {
+    const created = await nocodb.create('Users', { name, email, role: 'superadmin' });
+    const passwordHash = await bcrypt.hash(password, 10);
+    authDb.prepare('INSERT INTO auth_credentials (email, password_hash, nocodb_user_id) VALUES (?, ?, ?)').run(email, passwordHash, created.Id);
+    console.log(`[SETUP] Superadmin created: ${email} (NocoDB Id: ${created.Id})`);
+    res.status(201).json({ message: 'Superadmin account created. You can now log in.' });
+  } catch (err) {
+    console.error('Setup error:', err);
+    res.status(500).json({ error: 'Failed to create superadmin account' });
+  }
+});
+
 // ─── AUTH ROUTES ────────────────────────────────────────────────
 
 app.post('/api/auth/login', async (req, res) => {