auth: guarda server-side em rotas protegidas

- /tickets/[id], /tickets/resolved, /views, /play, /reports/*, /settings agora exigem sessão via requireAuthenticatedSession()
- Complementa o middleware e evita casos não-redirecionados em DEV/SSG
- Mantém /settings/templates com requireStaffSession() como já estava.

src/app/tickets/[id]/page.tsx

@@ -5,12 +5,14 @@ import { TicketDetailStatic } from "@/components/tickets/ticket-detail-static"
 import { NewTicketDialogDeferred } from "@/components/tickets/new-ticket-dialog.client"
 import { getTicketById } from "@/lib/mocks/tickets"
 import type { TicketWithDetails } from "@/lib/schemas/ticket"
+import { requireAuthenticatedSession } from "@/lib/auth-server"
 
 type TicketDetailPageProps = {
   params: Promise<{ id: string }>
 }
 
 export default async function TicketDetailPage({ params }: TicketDetailPageProps) {
+  await requireAuthenticatedSession()
   const { id } = await params
   const isMock = id.startsWith("ticket-")
   const mock = isMock ? getTicketById(id) : null

src/app/tickets/resolved/page.tsx

@@ -1,5 +1,7 @@
 import { TicketsResolvedPageClient } from "./tickets-resolved-page-client"
+import { requireAuthenticatedSession } from "@/lib/auth-server"
 
-export default function TicketsResolvedPage() {
+export default async function TicketsResolvedPage() {
+  await requireAuthenticatedSession()
   return <TicketsResolvedPageClient />
 }