fix: require login to view runs and cache in UI

- Runs list now requires login, shows only user's own runs
- Cache list now requires login to view

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

server.py

@@ -836,16 +836,16 @@ async def ui_runs(request: Request):
     current_user = get_user_from_cookie(request)
     runs = list_all_runs()
 
-    # Filter runs by user if logged in
+    # Require login to see runs
-    # Match both plain username and ActivityPub format (@user@domain)
+    if not current_user:
-    if current_user:
+        return '<p class="no-runs"><a href="/ui/login">Login</a> to see your runs.</p>'
-        actor_id = f"@{current_user}@{L2_DOMAIN}"
+
-        runs = [r for r in runs if r.username in (current_user, actor_id)]
+    # Filter runs by user - match both plain username and ActivityPub format (@user@domain)
+    actor_id = f"@{current_user}@{L2_DOMAIN}"
+    runs = [r for r in runs if r.username in (current_user, actor_id)]
 
     if not runs:
-        if current_user:
+        return '<p class="no-runs">You have no runs yet. Use the CLI to start a run.</p>'
-            return '<p class="no-runs">You have no runs yet. Use the CLI to start a run.</p>'
-        return '<p class="no-runs">No runs yet. <a href="/ui/login">Login</a> to see your runs.</p>'
 
     html_parts = ['<div class="runs">']
 
@@ -923,6 +923,10 @@ async def ui_cache_list(request: Request):
     """HTMX partial: list of cached items."""
     current_user = get_user_from_cookie(request)
 
+    # Require login to see cache
+    if not current_user:
+        return '<p class="no-runs"><a href="/ui/login">Login</a> to see cached content.</p>'
+
     # Get all cached files
     cache_items = []
     if CACHE_DIR.exists():