Fix GUI polish issues across auth modal, theme, and 404

- Add missing modal CSS (.modal-overlay/.modal-dialog/.modal-header):
  the "Connect to Microsoft" auth modal was rendering unstyled inline
  at the bottom of the page. Now a centered dialog with backdrop.
- Surface OAuth connect errors in the modal instead of silently
  reopening it with no explanation.
- MainLayout: implement IDisposable so event handlers are actually
  unsubscribed (Dispose existed but was never invoked).
- Wire up the Settings theme selector (was a dead control): drop the
  unsupported Dark option, call sptb.setTheme on save and on load,
  resolve System via prefers-color-scheme.
- Add branded 404 page via UseStatusCodePagesWithReExecute + Routes
  <NotFound> (blank white page before).
- Add .progress-fill.indeterminate animation and .progress-panel.
- Home: replace inline JS hover handlers with a .feature-card CSS class.
- Define missing --surface-2 variable referenced by MainLayout.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Components/Layout/MainLayout.razor

@@ -1,12 +1,15 @@
 @inherits LayoutComponentBase
+@implements IDisposable
 @inject IUserSessionService Session
 @inject IUserContextAccessor UserContext
 @inject ISessionCredentialStore CredStore
 @inject ISessionManager SessionManager
 @inject NavigationManager Nav
+@inject IJSRuntime JS
 @inject SharepointToolbox.Web.Services.OAuth.IOAuthFlowCache OAuthCache
 @using Microsoft.AspNetCore.Components.Authorization
 @using Microsoft.AspNetCore.WebUtilities
+@using Microsoft.JSInterop
 @using SharepointToolbox.Web.Core.Models
 @using SharepointToolbox.Web.Services.Session
 
@@ -160,6 +163,9 @@
     {
         if (!firstRender) return;
 
+        // Apply persisted theme preference
+        await ApplyThemeAsync();
+
         // Pick up token_key from OAuth callback redirect before checking credential state
         await HandleOAuthCallbackAsync();
         await RefreshCredentialState();
@@ -172,7 +178,8 @@
             Nav.NavigateTo(uri.GetLeftPart(UriPartial.Path), replace: true);
             if (_credModal is not null)
             {
-                await _credModal.ShowAsync();
+                // Surface the failure reason instead of silently reopening the modal
+                await _credModal.ShowAsync(err!);
             }
         }
 
@@ -234,6 +241,15 @@
         });
     }
 
+    private async Task ApplyThemeAsync()
+    {
+        try
+        {
+            await JS.InvokeVoidAsync("sptb.setTheme", Session.Settings.Theme);
+        }
+        catch (JSException) { /* best-effort; JS not yet available */ }
+    }
+
     private void ToggleSidebar() => _sidebarCollapsed = !_sidebarCollapsed;
 
     private static string RoleChipClass(UserRole role) => role switch