Add Next.js middleware for route protection (task 5.1)

- Create src/middleware.ts using Auth.js v5 auth() wrapper
- Protect /app/* routes: redirect unauthenticated users to /login
- Protect /api/* routes (except /api/auth/* and /api/health): return 401 JSON for unauthenticated requests
- Redirect authenticated users away from /login and /register to /app
- Mark task 5.1 as complete in tasks.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/middleware.ts

@@ -0,0 +1,44 @@
+import { auth } from "@/auth";
+import { NextResponse } from "next/server";
+
+export const middleware = auth((req) => {
+  const { pathname } = req.nextUrl;
+  const isAuthenticated = !!req.auth;
+
+  // Protect /api/* except /api/auth/* and /api/health
+  if (pathname.startsWith("/api/")) {
+    const isAuthRoute = pathname.startsWith("/api/auth/");
+    const isHealthRoute = pathname === "/api/health";
+
+    if (!isAuthRoute && !isHealthRoute && !isAuthenticated) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    return NextResponse.next();
+  }
+
+  // Redirect authenticated users away from /login and /register
+  if (isAuthenticated && (pathname === "/login" || pathname === "/register")) {
+    return NextResponse.redirect(new URL("/app", req.nextUrl.origin));
+  }
+
+  // Protect /app/* routes — redirect unauthenticated users to /login
+  if (pathname.startsWith("/app") && !isAuthenticated) {
+    return NextResponse.redirect(new URL("/login", req.nextUrl.origin));
+  }
+
+  return NextResponse.next();
+});
+
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except:
+     * - _next/static  (static files)
+     * - _next/image   (image optimisation)
+     * - favicon.ico / favicon.png / favicon.svg
+     * - public assets (top-level files that are not pages)
+     */
+    "/((?!_next/static|_next/image|favicon\\.ico|favicon\\.png|favicon\\.svg).*)",
+  ],
+};