Fix setup/auth flow and harden storage write failures

src/App.php

@@ -30,6 +30,12 @@ final class App
         $hasUsers = $this->users->hasAnyUsers();
         $isAuthenticated = $this->auth->check();
 
+        // A failed setup must never leave the app in a half-authenticated redirect loop.
+        if (!$hasUsers && $isAuthenticated) {
+            $this->auth->logout();
+            $isAuthenticated = false;
+        }
+
         if (!$hasUsers) {
             if ($path === '/login') {
                 $path = '/setup';
@@ -130,10 +136,15 @@ final class App
             redirect('/setup');
         }
 
-        $user = $this->users->create($username, $password, true);
-        $this->auth->login($user);
-        flash('success', 'Der erste Account wurde erstellt. Du kannst direkt loslegen.');
-        redirect('/');
+        try {
+            $user = $this->users->create($username, $password, true);
+            $this->auth->login($user);
+            flash('success', 'Der erste Account wurde erstellt. Du kannst direkt loslegen.');
+            redirect('/');
+        } catch (RuntimeException $exception) {
+            flash('error', $exception->getMessage());
+            redirect('/setup');
+        }
     }
 
     private function showLogin(): void