Build music-quiz installer and management site per spec

Implements the full spec described in README.md:

Management site (Node + TypeScript + Express + EJS):
- Public main page lists packs registered in manifest.json.
- /op login (account.json, internal-only), /op/dashboard manages packs
  with horizontal-scroll cards, add/select-and-delete flow, and the
  /op/dashboard/:packName editor (Mojang release dropdown, dynamic
  mods/resourcepacks lists, platform/RAM fields, file rename).
- Routes for /manifest.json (public) and /file/* (server pack files).
- Middleware blocks /account.json and /manifest/* directory access.

Installer (Electron):
- Five page renderer driven by IPC (preload contextBridge API):
  pack pick → single/multi → server install (path no-Korean check, JDK
  detect, file download, EULA, RAM gating, local web config editor,
  UPnP/port-forward check) → client install (.mc_custom mods +
  resourcepacks + launcher_profiles.json gameDir/javaArgs) → finish
  toggles (server folder, shortcut, server start, launcher start).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/server/app.ts

@@ -0,0 +1,61 @@
+import express from 'express'
+import session from 'express-session'
+import path from 'node:path'
+import { manifestRootPath, fileDirPath, viewsDirPath, publicDirPath } from '../shared/paths'
+import { indexRouter } from './routes/index'
+import { opRouter } from './routes/op'
+
+const PORT = Number(process.env.PORT ?? 3000)
+const HOST = process.env.HOST ?? '0.0.0.0'
+
+const app = express()
+
+app.set('view engine', 'ejs')
+app.set('views', viewsDirPath)
+app.set('trust proxy', 1)
+
+app.use(express.urlencoded({ extended: true }))
+app.use(express.json())
+
+app.use(session({
+  secret: process.env.SESSION_SECRET ?? 'music-quiz-installer-dev-secret',
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    httpOnly: true,
+    sameSite: 'lax',
+    maxAge: 1000 * 60 * 60 * 8
+  }
+}))
+
+// 외부에서 account.json, /manifest 폴더 등에 절대 접근 불가하도록 가장 먼저 차단한다.
+app.use((req, res, next) => {
+  if (/^\/account\.json/i.test(req.path) || /^\/manifest\//i.test(req.path)) {
+    res.status(404).send('Not Found')
+    return
+  }
+  next()
+})
+
+app.use('/static', express.static(publicDirPath))
+
+// 외부 노출이 필요한 정적 자원만 화이트리스트로 라우팅한다.
+app.get('/manifest.json', (_req, res) => {
+  res.sendFile(manifestRootPath)
+})
+
+app.use('/file', express.static(fileDirPath, { fallthrough: true, index: false }))
+
+app.use('/', indexRouter)
+app.use('/', opRouter)
+
+app.use((err: unknown, _req: express.Request, res: express.Response, _next: express.NextFunction) => {
+  console.error(err)
+  const message = err instanceof Error ? err.message : '알 수 없는 오류'
+  res.status(500).send(`서버 오류: ${message}`)
+})
+
+app.listen(PORT, HOST, () => {
+  console.log(`[server] http://${HOST}:${PORT}`)
+  console.log(`[server] views: ${path.relative(process.cwd(), viewsDirPath)}`)
+})