Phase 1: lock cron, reload chaud, argon2, providers, IMDb lookup, cache LRU, /health, /metrics, rate limit, UI dark, biome

lib/password.js

@@ -0,0 +1,21 @@
+import { Algorithm, hash, verify } from '@node-rs/argon2';
+
+const OPTS = {
+  algorithm: Algorithm.Argon2id,
+  memoryCost: 19456, // 19 MiB (OWASP 2024 recommendation)
+  timeCost: 2,
+  parallelism: 1,
+};
+
+export async function hashPassword(plain) {
+  return await hash(plain, OPTS);
+}
+
+export async function verifyPassword(stored, plain) {
+  if (!stored || !plain) return false;
+  try {
+    return await verify(stored, plain);
+  } catch {
+    return false;
+  }
+}