feat: add PRIVATE_MODE site-wide auth gate (0.48.0)

When `PRIVATE_MODE=true`, every API path except a small allowlist
(`/health`, `/auth/{config,login,logout,register}`) requires a valid
session cookie or bearer token — anonymous reads are rejected with
401. Self-registration is force-disabled in private mode regardless
of `ALLOW_SELF_REGISTER`, so a locked-down instance flips with a
single switch (admins still mint accounts via `POST /admin/users`).

The backend gate is a tower middleware that reuses the existing
`CurrentUser` extractor, so the cookie + bearer paths cannot drift
from per-handler auth. `/auth/config` now exposes the flag plus the
effective `self_register_enabled` value so the frontend can render
the navbar correctly on the first paint.

On the frontend, a new universal root `+layout.ts` fetches the
config and redirects anonymous visitors to `/login?next=<path>`
before page-specific loads fire. The redirect is UX only — the
backend middleware is the source of truth, so crafted requests
still 401.

Defaults stay public (`PRIVATE_MODE=false`); existing deployments
need no env change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

frontend/src/lib/api/auth.ts

@@ -102,10 +102,14 @@ export async function deleteToken(id: string): Promise<void> {
 }
 
 export type AuthConfig = {
-    /** When false, /v1/auth/register returns 403 and the UI should
+    /** Effective value (`allow_self_register && !private_mode`).
+     * When false, /v1/auth/register returns 403 and the UI should
      * hide its register affordance. Admins can still mint accounts
      * via POST /v1/admin/users. */
     self_register_enabled: boolean;
+    /** When true, every read endpoint requires auth and anonymous
+     * visitors are redirected to `/login` (see `+layout.ts`). */
+    private_mode: boolean;
 };
 
 /** Public — no auth, no cookie required. */