Restrict server detail access for guests

- Add isGuest flag to UserContext
- Block guests from navigating to /server/:id route
- Make ServerCards non-clickable for guests
- Add rejectGuest middleware to backend
- Protect server detail endpoints (/:id, /metrics/history, /whitelist)

Guests can now only view the dashboard overview without accessing
individual server details.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

gsm-backend/middleware/auth.js

@@ -48,10 +48,20 @@ export function requireRole(minRole) {
     const userRole = req.user?.role || 'user';
     const userLevel = ROLE_HIERARCHY[userRole] || 0;
     const requiredLevel = ROLE_HIERARCHY[minRole] || 0;
-    
+
     if (userLevel < requiredLevel) {
       return res.status(403).json({ error: 'Insufficient permissions' });
     }
     next();
   };
 }
+
+export function rejectGuest(req, res, next) {
+  if (!req.user) {
+    return res.status(401).json({ error: 'Authentication required' });
+  }
+  if (req.user.isGuest || req.user.role === 'guest') {
+    return res.status(403).json({ error: 'Guests cannot access server details' });
+  }
+  next();
+}