refactor(auth): replace JWT/password-lock with token guards

components/guest-guard.tsx

@@ -0,0 +1,45 @@
+'use client';
+
+import { useEffect, useState } from 'react';
+import { useSearchParams } from 'next/navigation';
+import { authApi } from '@/lib/api';
+
+type Status = 'checking' | { kind: 'ok'; guestName: string } | 'denied';
+
+export default function GuestGuard({ children }: { children: React.ReactNode }) {
+  const params = useSearchParams();
+  const [status, setStatus] = useState<Status>('checking');
+
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      const usr = params.get('usr');
+      try {
+        if (usr) {
+          await authApi.session({ usr });
+          // user said leaving the token in URL is fine — do NOT strip
+        }
+        const who = await authApi.whoami();
+        if (cancelled) return;
+        if (who.role === 'admin' || who.role === 'guest') {
+          setStatus({ kind: 'ok', guestName: who.guest?.name ?? 'admin' });
+        } else {
+          setStatus('denied');
+        }
+      } catch {
+        if (!cancelled) setStatus('denied');
+      }
+    })();
+    return () => { cancelled = true; };
+  }, [params]);
+
+  if (status === 'checking') return <div className="min-h-screen flex items-center justify-center text-gray-500">Verificando convite…</div>;
+  if (status === 'denied') return <div className="min-h-screen flex items-center justify-center text-center px-6">
+    <div>
+      <h1 className="text-2xl font-bold mb-2">Convite necessário</h1>
+      <p className="text-gray-500">Esta lista é por convite. Use o link que recebeu.</p>
+    </div>
+  </div>;
+
+  return <>{children}</>;
+}