fix(web): prevent stale auth redirect loops

[simonjcarr]

Summary

• prevent protected-page auth rejection from bouncing into the normal authenticated login redirect
• add an explicit expired-session login URL that renders the login form instead of immediately returning to the dashboard
• centralize auth-page redirect decisions so only active, non-deleted users are redirected away from login/register

Investigation

• normal browser logs showed repeated /login -> /dashboard -> /login 307 responses
• private browsing worked and clean curl requests stopped at /login, pointing to stale browser auth state rather than CT-CVE migration code
• Browser Use could not open the HTTPS target because the local self-signed cert produced ERR_CERT_AUTHORITY_INVALID, and I did not bypass the browser safety interstitial

Validation

• pnpm install --frozen-lockfile
• node --experimental-strip-types --test lib/auth/redirects.test.mjs
• npm run type-check
• npm run lint -- 'app/(auth)/login/page.tsx' 'app/(auth)/register/page.tsx' lib/auth/session.ts lib/auth/redirects.ts
• npm run test:unit