feat: Phase 1 complete — Matrix login, rooms, chat, profile

- Direct m.login.password auth against matrix.m8chat.au
- Room list with unread badges, last message, timestamps
- Chat timeline (text, images, files, replies, reactions)
- Profile screen with expandable Notifications and Security sections
- Olm E2EE initialisation (web WASM bootstrap)
- Global error handler preventing Matrix SDK crashes
- GoRouter with refreshListenable (no recreation on auth change)
- Feature-first clean architecture: Riverpod + GoRouter + Drift
- Deployed to https://app2.m8chat.au

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

lib/core/auth/auth_notifier.dart

@@ -0,0 +1,104 @@
+// Version: 1.0.0 | Created: 2026-04-01
+// Riverpod notifier that owns the auth state machine.
+// All login/logout/session-restore transitions go through here.
+
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+
+import '../../features/auth/data/auth_repository.dart';
+import '../../features/auth/domain/auth_failure.dart';
+import 'auth_state.dart';
+import 'secure_storage.dart';
+
+part 'auth_notifier.g.dart';
+
+/// The single source of truth for authentication state.
+///
+/// keepAlive: true — auth state must persist for the entire app lifetime.
+/// GoRouter watches this provider to decide which route to show.
+@Riverpod(keepAlive: true)
+class AuthNotifier extends _$AuthNotifier {
+  @override
+  AuthState build() {
+    // Kick off session restore immediately; start in [AuthInitial].
+    _restoreSession();
+    return const AuthState.initial();
+  }
+
+  /// Tries to restore a previous session from secure storage.
+  Future<void> _restoreSession() async {
+    state = const AuthState.loading();
+
+    final storage = ref.read(secureStorageProvider);
+    final credentials = await storage.loadCredentials();
+
+    if (credentials == null) {
+      state = const AuthState.unauthenticated();
+      return;
+    }
+
+    try {
+      final repo = ref.read(authRepositoryProvider);
+      await repo.restoreSession(
+        accessToken: credentials.accessToken,
+        userId: credentials.userId,
+        deviceId: credentials.deviceId,
+      );
+      state = AuthState.authenticated(
+        userId: credentials.userId,
+        accessToken: credentials.accessToken,
+        deviceId: credentials.deviceId,
+      );
+    } on AuthFailure {
+      // Stored credentials are invalid; force re-login.
+      await storage.clearCredentials();
+      state = const AuthState.unauthenticated();
+    } on Exception {
+      // Network offline at startup; still land on login rather than crashing.
+      await storage.clearCredentials();
+      state = const AuthState.unauthenticated();
+    }
+  }
+
+  /// Attempts to log in with [username] and [password].
+  ///
+  /// Transitions: loading → authenticated | unauthenticated(failure).
+  Future<void> login({
+    required String username,
+    required String password,
+  }) async {
+    state = const AuthState.loading();
+
+    try {
+      final repo = ref.read(authRepositoryProvider);
+      final response = await repo.login(username: username, password: password);
+
+      final storage = ref.read(secureStorageProvider);
+      await storage.saveCredentials(
+        accessToken: response.accessToken,
+        userId: response.userId,
+        deviceId: response.deviceId,
+      );
+
+      state = AuthState.authenticated(
+        userId: response.userId,
+        accessToken: response.accessToken,
+        deviceId: response.deviceId,
+      );
+    } on AuthFailure catch (failure) {
+      state = AuthState.unauthenticated(failure: failure.userMessage);
+    }
+  }
+
+  /// Logs out the current user, clears storage, and resets to unauthenticated.
+  Future<void> logout() async {
+    state = const AuthState.loading();
+
+    final repo = ref.read(authRepositoryProvider);
+    await repo.logout();
+
+    final storage = ref.read(secureStorageProvider);
+    await storage.clearCredentials();
+
+    state = const AuthState.unauthenticated();
+  }
+}