fix: bootstrap-gate auth before mount (krypto-kuns pattern); never call API unauthenticated

Root cause: the router-guard adapter let index.vue mount and call the API before
auth resolved, so auth.fetch returned a synthetic 401 (the banner) and the package's
redirect-loop guard could strand the user. Now use the core ZitadelAuth and gate in an
async plugin (Nuxt awaits it before mount), mirroring the working krypto-kuns app.

app/composables/useAuth.ts

@@ -1,17 +1,10 @@
-// Access the provided Zitadel auth instance + a small JSON helper for /api calls.
+import type { ZitadelAuth } from "@kuns/zitadel-auth";
+
+// Access the bootstrap-provided Zitadel auth instance + a small JSON helper for /api calls.
+// By the time any component mounts, the plugin has gated auth, so `auth` is authenticated.
 // `auth.fetch` auto-attaches the Bearer access token.
 export function useAuth() {
-  const { $auth } = useNuxtApp() as unknown as {
-    $auth: {
-      isAuthenticated: Ref<boolean>;
-      isLoading: Ref<boolean>;
-      user: Ref<{ sub: string; name: string; email: string } | null>;
-      error: Ref<string | null>;
-      login: () => void;
-      logout: () => Promise<void>;
-      fetch: (url: string, init?: RequestInit) => Promise<Response>;
-    };
-  };
+  const { $auth } = useNuxtApp() as unknown as { $auth: ZitadelAuth };
 
   async function api<T = unknown>(path: string, init?: RequestInit): Promise<T> {
     const res = await $auth.fetch(`/api${path}`, init);