feat: register auth routes and apply write-protection middleware

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/server/index.ts

@@ -1,6 +1,8 @@
 import { Hono } from "hono";
 import { serveStatic } from "hono/bun";
 import { seedDefaults } from "../db/seed.ts";
+import { requireAuth } from "./middleware/auth.ts";
+import { authRoutes } from "./routes/auth.ts";
 import { categoryRoutes } from "./routes/categories.ts";
 import { imageRoutes } from "./routes/images.ts";
 import { itemRoutes } from "./routes/items.ts";
@@ -19,7 +21,18 @@ app.get("/api/health", (c) => {
 	return c.json({ status: "ok" });
 });
 
+// Auth middleware for write operations (POST/PUT/DELETE) on non-auth routes
+app.use("/api/*", async (c, next) => {
+	// Skip auth routes — they handle their own auth
+	if (c.req.path.startsWith("/api/auth")) return next();
+	// Skip GET requests — read is public
+	if (c.req.method === "GET") return next();
+	// All other methods require auth
+	return requireAuth(c, next);
+});
+
 // API routes
+app.route("/api/auth", authRoutes);
 app.route("/api/items", itemRoutes);
 app.route("/api/categories", categoryRoutes);
 app.route("/api/totals", totalRoutes);