Login uses a non-authenticated dio (token resolver returns null) since we don't have one yet. On success, setSession persists token + user into secure storage and the AuthController state flips, which the router watches to navigate.