Add auth system with invite-only registration and admin roles

JWT-based auth (hono/jwt + bcrypt), anonymous-first flow preserved.
Registration requires invite code when REQUIRE_INVITE=true. Admin
user seeded on startup (admin/admin, forced password reset). Login
accepts email or username. Admin invitations management page in
sidebar. Regular users get invite-a-friend button when USER_INVITATIONS > 0.
Frontend gate screen blocks game access for unregistered users with
invite code entry, registration, login, and password reset flows.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/web/src/lib/api.ts

@@ -16,6 +16,53 @@ export function clearAuthToken() {
   localStorage.removeItem('ai-tycoon-auth-token');
 }
 
+export interface TokenPayload {
+  sub: string;
+  email: string | null;
+  role: string;
+  username: string | null;
+  mustResetPassword: boolean;
+}
+
+export function decodeTokenPayload(token: string): TokenPayload | null {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+    return {
+      sub: payload.sub,
+      email: payload.email ?? null,
+      role: payload.role ?? 'user',
+      username: payload.username ?? null,
+      mustResetPassword: payload.mustResetPassword ?? false,
+    };
+  } catch {
+    return null;
+  }
+}
+
+export function getTokenPayload(): TokenPayload | null {
+  const token = getAuthToken();
+  if (!token) return null;
+  return decodeTokenPayload(token);
+}
+
+export function isRegistered(): boolean {
+  const payload = getTokenPayload();
+  if (!payload) return false;
+  return payload.email != null || payload.role === 'admin';
+}
+
+export function isAdmin(): boolean {
+  const payload = getTokenPayload();
+  return payload?.role === 'admin';
+}
+
+export function needsPasswordReset(): boolean {
+  const payload = getTokenPayload();
+  return payload?.mustResetPassword === true;
+}
+
 async function request<T>(path: string, options: RequestInit = {}): Promise<T> {
   const headers: Record<string, string> = {
     'Content-Type': 'application/json',
@@ -42,16 +89,45 @@ async function request<T>(path: string, options: RequestInit = {}): Promise<T> {
 export const api = {
   auth: {
     anonymous: () => request<{ userId: string; token: string }>('/api/auth/anonymous', { method: 'POST' }),
-    login: (email: string, password: string) =>
+    login: (login: string, password: string) =>
       request<{ userId: string; token: string }>('/api/auth/login', {
         method: 'POST',
-        body: JSON.stringify({ email, password }),
+        body: JSON.stringify({ login, password }),
       }),
-    linkEmail: (email: string, password: string) =>
-      request<{ success: boolean }>('/api/auth/link-email', {
+    register: (email: string, password: string, inviteCode: string) =>
+      request<{ userId: string; token: string }>('/api/auth/register', {
         method: 'POST',
-        body: JSON.stringify({ email, password }),
+        body: JSON.stringify({ email, password, inviteCode }),
       }),
+    changePassword: (newPassword: string, currentPassword?: string) =>
+      request<{ success: boolean; token: string }>('/api/auth/change-password', {
+        method: 'POST',
+        body: JSON.stringify({ newPassword, currentPassword }),
+      }),
+    changeUsername: (username: string) =>
+      request<{ success: boolean; token: string }>('/api/auth/change-username', {
+        method: 'POST',
+        body: JSON.stringify({ username }),
+      }),
+  },
+  config: {
+    get: () => request<{ requireInvite: boolean; userInvitations: number }>('/api/config'),
+  },
+  invites: {
+    create: () => request<{ code: string }>('/api/invites', { method: 'POST' }),
+    validate: (code: string) => request<{ valid: boolean }>(`/api/invites/validate/${encodeURIComponent(code)}`),
+    list: () => request<{
+      invitations: Array<{
+        id: string;
+        code: string;
+        createdBy: { username: string | null; email: string | null };
+        usedBy: { username: string | null; email: string | null } | null;
+        createdAt: string;
+        expiresAt: string | null;
+        used: boolean;
+      }>;
+    }>('/api/invites'),
+    remaining: () => request<{ remaining: number }>('/api/invites/remaining'),
   },
   saves: {
     list: () => request<{ saves: Array<{ id: string; companyName: string; era: string; tickCount: number; updatedAt: string }> }>('/api/saves'),