feat(auth): SSR auth guards on admin and profile pages

Adds `export const prerender = false` + `await auth.requireUser()` to
admin.astro, admin-members.astro, admin-settings.astro, profile.astro.
The platform turns AuthRequiredError into a 303 → /auth/sign-in?return_to=…
automatically — no try/catch (catching the error is the silent-null bug
the brief calls out).

For admin pages, requireUser is followed by an adminDb() lookup against
members.role. Using auth.requireRole('admin') wouldn't work — the Actor
envelope carries platform identity only; Kychon's "admin" is a project-
defined member role. Annotated the user_id filter with
`run402-allow-user-filter:` since adminDb() bypasses RLS by design.

Non-admin signed-in visitors now get a 403 from the page itself instead
of a fully-rendered admin shell with a client-side redirect — the admin
HTML and JS bundles never reach unauthorized browsers. /join stays
prerendered because it IS the sign-in surface.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: MajorTal

src/pages/admin-members.astro

@@ -1,6 +1,16 @@
 ---
+export const prerender = false;
+import { auth, adminDb } from '@run402/functions';
 import AdminMembersApp from '../components/kychon/AdminMembersApp';
 import Portal from '../layouts/Portal.astro';
+
+const user = await auth.requireUser();
+// run402-allow-user-filter: adminDb() bypasses RLS for the admin role lookup
+const rows = await adminDb().from('members').select('role,status').eq('user_id', user.id).limit(1);
+const member = rows?.[0];
+if (member?.role !== 'admin' || member?.status !== 'active') {
+  return new Response('Admin access required', { status: 403 });
+}
 ---
 <Portal title="Manage Members">
   <AdminMembersApp client:load />

src/pages/admin-settings.astro

@@ -1,6 +1,16 @@
 ---
+export const prerender = false;
+import { auth, adminDb } from '@run402/functions';
 import AdminSettingsApp from '../components/kychon/AdminSettingsApp';
 import Portal from '../layouts/Portal.astro';
+
+const user = await auth.requireUser();
+// run402-allow-user-filter: adminDb() bypasses RLS for the admin role lookup
+const rows = await adminDb().from('members').select('role,status').eq('user_id', user.id).limit(1);
+const member = rows?.[0];
+if (member?.role !== 'admin' || member?.status !== 'active') {
+  return new Response('Admin access required', { status: 403 });
+}
 ---
 <Portal title="Site Settings">
   <AdminSettingsApp client:load />

src/pages/admin.astro

@@ -1,6 +1,20 @@
 ---
+// SSR-guarded: auth.requireUser() throws AuthRequiredError on anon (platform
+// 303-redirects to /auth/sign-in?return_to=/admin). For Kychon-admin we
+// manually consult members.role — the platform's actor envelope doesn't carry
+// project-defined roles, so requireRole('admin') wouldn't match.
+export const prerender = false;
+import { auth, adminDb } from '@run402/functions';
 import AdminDashboardApp from '../components/kychon/AdminDashboardApp';
 import Portal from '../layouts/Portal.astro';
+
+const user = await auth.requireUser();
+// run402-allow-user-filter: adminDb() bypasses RLS for the admin role lookup
+const rows = await adminDb().from('members').select('role,status').eq('user_id', user.id).limit(1);
+const member = rows?.[0];
+if (member?.role !== 'admin' || member?.status !== 'active') {
+  return new Response('Admin access required', { status: 403 });
+}
 ---
 <Portal title="Admin Dashboard">
   <AdminDashboardApp client:load />

src/pages/profile.astro

@@ -1,6 +1,12 @@
 ---
+// SSR-guarded: anonymous visitors get a 303 to sign-in via auth.requireUser().
+// Any signed-in member can view their own profile — no role check needed.
+export const prerender = false;
+import { auth } from '@run402/functions';
 import ProfilePageApp from '../components/kychon/ProfilePageApp';
 import Portal from '../layouts/Portal.astro';
+
+await auth.requireUser();
 ---
 <Portal title="Profile">
   <div class="mx-auto w-full max-w-xl px-4 py-8 sm:px-6 lg:px-8">