Lock down coming-soon mode to block all users including authenticated

Remove auth bypass from coming-soon middleware so no one can access
the in-development site in production. Remove unused login button
from coming-soon page since wiki has its own OIDC login flow.

app/middleware/coming-soon.global.js

@@ -13,25 +13,6 @@ export default defineNuxtRouteMiddleware(async (to, from) => {
     return;
   }
 
-  // Allow authenticated users to bypass coming-soon
+  // Redirect all other routes to coming-soon — no exceptions
-  const authToken = useCookie("auth-token");
-  if (authToken.value) {
-    // On the server, verify the JWT is actually valid
-    if (import.meta.server) {
-      try {
-        const { jwtSecret } = useRuntimeConfig();
-        const jwt = await import("jsonwebtoken").then((m) => m.default);
-        jwt.verify(authToken.value, jwtSecret);
-        return;
-      } catch {
-        // Invalid/expired token — fall through to coming-soon redirect
-      }
-    } else {
-      // Client-side: trust the cookie (SSR already validated on initial load)
-      return;
-    }
-  }
-
-  // Redirect all other routes to coming-soon
   return navigateTo("/coming-soon");
 });

app/pages/coming-soon.vue

@@ -4,13 +4,6 @@
       <h1 class="text-display-xl font-bold mb-4">Ghost Guild</h1>
       <p class="text-display-sm text-guild-400">Coming Soon</p>
     </a>
-    <button
-      class="mt-12 text-sm text-guild-500 hover:text-guild-300 transition-colors"
-      @click="openLoginModal"
-    >
-      Member login
-    </button>
-    <LoginModal />
   </div>
 </template>
 
@@ -18,6 +11,4 @@
 definePageMeta({
   layout: "coming-soon",
 });
-
-const { openLoginModal } = useLoginModal();
 </script>