feat: complete Phase 3 — advanced features for Casera web app

Adds sharing (residence share codes, join, user management, .casera file
export/import), subscription status with feature comparison, notification
preferences with bell icon, profile settings (edit info, change password,
theme picker, delete account), onboarding wizard with create/join paths,
enhanced dashboard with stats cards, Recharts completion chart, recent
activity feed, and task report PDF download.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/middleware.ts

@@ -0,0 +1,32 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+export function middleware(request: NextRequest) {
+  const token = request.cookies.get('casera-token')?.value;
+  const { pathname } = request.nextUrl;
+
+  // Public paths that don't require auth
+  const publicPaths = ['/', '/login', '/register', '/forgot-password', '/reset-password', '/verify-email', '/demo'];
+  const isPublicPath = publicPaths.some(p => pathname === p || pathname.startsWith(p + '/'));
+  const isApiPath = pathname.startsWith('/api/');
+  const isStaticPath = pathname.startsWith('/_next/') || pathname.startsWith('/favicon');
+
+  // Skip middleware for API routes and static files
+  if (isApiPath || isStaticPath) return NextResponse.next();
+
+  // No token + protected path → redirect to login
+  if (!token && !isPublicPath) {
+    return NextResponse.redirect(new URL('/login', request.url));
+  }
+
+  // Has token + auth page → redirect to app
+  if (token && (pathname === '/login' || pathname === '/register')) {
+    return NextResponse.redirect(new URL('/app', request.url));
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+};