feat: Sprint 4 complete — frontend MVP (admin dashboard + member portal)

Shadboard starter-kit (Next.js 15 + React 19 + shadcn/ui + Tailwind 4)

Sprint 4.a — Admin Dashboard:
- Auth: NextAuth.js v5, login page, middleware, token rotation
- Dashboard: KPI cards, Recharts stock chart, quick actions
- Members: TanStack Table (search/sort/paginate), add/edit forms
- Distributions: multi-step form, real-time quota check, history
- Stock: batch management, recall dialog, bar chart
- Reports: monthly/member-list/recall, PDF/CSV download, preview

Sprint 4.b — Member Portal:
- Separate route group with top-nav layout (mobile-first)
- Quota dashboard with radial SVG progress indicators
- Distribution history with month filter
- Profile/settings with password change

Cross-cutting:
- i18n: German (default) + English via next-intl
- Dark + light mode (next-themes, user-togglable)
- Playwright E2E tests (6/6 green)
- Docker multi-stage build (node:22-alpine)
- API proxy via Next.js rewrites

Tech: Next.js 15.2.8, React 19, Tailwind 4, NextAuth v5,
TanStack Table, Recharts, Zod, React Hook Form, Playwright

cannamanage-frontend/src/middleware.ts

@@ -0,0 +1,67 @@
+import { NextResponse } from "next/server"
+
+import { auth } from "@/lib/auth"
+
+export default auth((req) => {
+  const { nextUrl } = req
+  const isAuthenticated = !!req.auth
+
+  // Public routes that don't require authentication
+  const publicRoutes = [
+    "/login",
+    "/register",
+    "/forgot-password",
+    "/api/auth",
+    "/portal-login",
+  ]
+  const isPublicRoute = publicRoutes.some((route) =>
+    nextUrl.pathname.startsWith(route)
+  )
+
+  // Portal routes — allow without admin auth (mock for now)
+  const isPortalRoute = nextUrl.pathname.startsWith("/portal")
+
+  if (isPublicRoute || isPortalRoute) {
+    // If user is already authenticated and tries to access login, redirect based on role
+    if (isAuthenticated && nextUrl.pathname.startsWith("/login")) {
+      const role = req.auth?.user?.role
+      const redirectPath = getRedirectForRole(role)
+      return NextResponse.redirect(new URL(redirectPath, nextUrl))
+    }
+    return NextResponse.next()
+  }
+
+  // Redirect unauthenticated users to login
+  if (!isAuthenticated) {
+    const loginUrl = new URL("/login", nextUrl)
+    loginUrl.searchParams.set("callbackUrl", nextUrl.pathname)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  return NextResponse.next()
+})
+
+function getRedirectForRole(role: string | undefined): string {
+  switch (role) {
+    case "ADMIN":
+    case "STAFF":
+    case "PREVENTION_OFFICER":
+      return "/dashboard"
+    case "MEMBER":
+      return "/portal/dashboard"
+    default:
+      return "/dashboard"
+  }
+}
+
+export const config = {
+  matcher: [
+    // Protect all routes EXCEPT:
+    // - /login, /register, /forgot-password (auth pages)
+    // - /portal-login (portal auth page)
+    // - /api/auth (NextAuth API routes)
+    // - /_next/static, /_next/image (Next.js internals)
+    // - /favicon.ico, /images (public assets)
+    "/((?!login|register|forgot-password|portal-login|api/auth|_next/static|_next/image|favicon.ico|images).*)",
+  ],
+}