Backend modularization — split app.py into routers

[TomMaSS]

Problem

api/app.py is 2671 lines with 31 routes and 82 functions in a single file. Chat logic (~500 lines), token stats (~200 lines), WebSocket handler (~100 lines), member management, and project CRUD are all interleaved. This makes every change risky and review painful.

Target Structure

api/
  app.py              # FastAPI app creation, middleware, lifespan, startup (~200 lines)
  auth.py             # Keep as-is (182 lines)
  auth_contract.py    # Keep as-is
  errors.py           # Keep as-is (68 lines)
  ws.py               # Keep token minting; MOVE WebSocket handler here from app.py
  routes/
    __init__.py
    projects.py       # GET/POST /api/projects, GET /api/projects/{slug}, GET export
    sections.py       # GET/PATCH sections, POST notes, all comment/reply endpoints
    chat.py           # provider-status, cli-login, cli-login-code, messages, clear, stream, approve
    members.py        # GET/POST/DELETE members, GET audit
    settings.py       # GET/PUT project settings, GET token-stats

Approach

• Use APIRouter(prefix="/api", tags=["domain"]) per domain
• Import shared deps: pool via request.app.state.pool, auth functions, error helpers
• app.py after refactor: creates FastAPI app, registers CORS/lifespan, includes all routers, keeps /health
• Do NOT modify mcp_server/server.py — MCP tools are production-stable

Key Files

• api/app.py — 2671 lines to split
• tests/test_ui_api.py — 84 tests (imports may need updating)
• tests/test_auth.py — 23 tests

Acceptance Criteria

• All 172 tests pass without modification (or with minimal import updates)
• All API endpoints return identical responses
• app.py reduced to ~200 lines
• Each router file is self-contained with its domain logic
• docker compose up -d works, full stack functional