remove dead Auth() middleware method

The Auth() method in internal/middleware/middleware.go only logged and
passed through without performing any actual authentication. It was
never referenced anywhere in the codebase — authentication is handled
per-handler via requireAuth in the handlers package.

closes #38

internal/middleware/middleware.go

@@ -142,20 +142,6 @@ func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	})
 }
 
-// Auth returns middleware that performs authentication.
-func (mware *Middleware) Auth() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(
-			func(
-				writer http.ResponseWriter,
-				request *http.Request,
-			) {
-				mware.log.Info("AUTH: before request")
-				next.ServeHTTP(writer, request)
-			})
-	}
-}
-
 // Metrics returns middleware that records HTTP metrics.
 func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
 	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields

internal/server/routes.go

@@ -16,11 +16,6 @@ import (
 
 const routeTimeout = 60 * time.Second
 
-// cspHeader is the Content-Security-Policy applied to the embedded web SPA.
-// The SPA loads external scripts and stylesheets from the same origin only;
-// all API communication uses same-origin fetch (no WebSockets).
-const cspHeader = "default-src 'self'; script-src 'self'; style-src 'self'"
-
 // SetupRoutes configures the HTTP routes and middleware.
 func (srv *Server) SetupRoutes() {
 	srv.router = chi.NewRouter()
@@ -138,11 +133,6 @@ func (srv *Server) setupSPA() {
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
-		writer.Header().Set(
-			"Content-Security-Policy",
-			cspHeader,
-		)
-
 		readFS, ok := distFS.(fs.ReadFileFS)
 		if !ok {
 			fileServer.ServeHTTP(writer, request)