[P6.7.1] Add proactive auth guard + SSE/WS token-expiry re-auth path

[frankbria]

Problem

The web UI has no proactive auth guard. The only auth gate is a reactive axios interceptor that redirects to /login after an API call returns 401. Consequences:

• An unauthenticated visitor to /, /tasks, etc. renders the full sidebar + loading skeletons, then flickers to /login only after the first 401.
• /login has no "already authenticated → redirect to /" check.
• Token expiry mid-session on SSE/WebSocket streams (which auth via ?token=) silently fails into the hook's error state ("Connection failed") with no path back to re-auth — the reactive interceptor only fires on axios calls, not on EventSource/WebSocket.

Evidence

• web-ui/src/lib/api.ts:147-152 — sole auth gate (reactive 401 → clear token → redirect)
• web-ui/src/app/login/page.tsx — no already-authenticated redirect
• useStressTestStream, useAgentChat, useTerminalSocket — ?token= auth, no re-auth on expiry

Fix

• Add a lightweight route guard (in AppLayout or middleware) that redirects unauthenticated users to /login before rendering the shell.
• Redirect authenticated users away from /login.
• On SSE/WS auth failure (401/handshake reject), clear the token and redirect to /login.

Acceptance criteria

• Unauthenticated navigation to a protected page redirects to /login without shell flicker.
• Authenticated user hitting /login is redirected to /.
• SSE/WS token expiry surfaces a re-auth path.

Source: release-readiness audit 2026-06-13 (frontend agent).

[coderabbitai]

🔗 Related PRs

#159 - feat: Implement E2E user journey tests with auth bypass [merged]
#238 - fix(auth): migrate lint API to authenticated axios and harden E2E tests [merged]
#520 - feat(web-ui): /sessions/[id] detail page — SplitPane + AgentChatPanel + AgentTerminal (#509) [merged]
#576 - feat(web-ui): Glitch Capture entry point and form for PROOF9 (#568) [merged]
#577 - fix(web-ui): address CodeRabbit review feedback on Glitch Capture (#568) [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!