feat(mvp): phase 3 - authentication system

Implement local auth flow: login, registration, logout, JWT access/refresh
tokens in HTTP-only cookies, hooks.server.ts middleware, guest mode support,
Superforms + Zod validation, and reusable auth/authorize middleware.

src/lib/server/middleware/authenticate.ts

@@ -0,0 +1,22 @@
+import { redirect } from '@sveltejs/kit';
+import type { RequestEvent } from '@sveltejs/kit';
+
+/**
+ * Reusable authentication check helper.
+ * Throws a redirect to /login if the user is not authenticated.
+ * Returns the authenticated user from event.locals.
+ */
+export function requireAuth(event: RequestEvent) {
+	const user = event.locals.user;
+	if (!user) {
+		throw redirect(302, '/login');
+	}
+	return user;
+}
+
+/**
+ * Check if the current request has an authenticated user without redirecting.
+ */
+export function isAuthenticated(event: RequestEvent): boolean {
+	return event.locals.user !== null;
+}