host: browser auth redirects to login (no more raw JSON 401), with return-to

Clicking "edit" while logged out returned a raw JSON 401
{"ok":false,"error":"unauthorized"} — a dead end in the browser. HTML routes
now redirect to a usable login page and return you afterwards.

- host/require-login: browser-shaped guard. Same session-or-bearer check as
  host/require-user, but on failure REDIRECTS to /login?next=<path> instead of
  JSON 401. (host/require-user stays for JSON/API routes.)
- host/-principal-of: shared session-then-bearer resolution.
- login honours ?next=: GET /login renders a hidden next field; POST /login
  redirects there on success and re-renders the form (with next) on failure.
- host/-safe-next: only same-site absolute paths are honoured — //evil.com and
  http://… fall back to "/", closing the open-redirect.
- blog: host/blog--protect-html (require-login) guards the browser routes —
  POST /new, GET/POST /:slug/edit; the JSON /posts routes keep host/require-user.

Do we need login? Yes — it's the write/edit auth boundary; without it anyone
could edit or delete posts. The bug was the dead-end 401, not the gate. Now
logged-out edit -> login -> back to edit is a clean flow.

Tests: blog no-auth write routes assert 303 + Location /login(+next); session
suite gains next round-trip + open-redirect-guard cases. 218/218.
Verified live: /welcome/edit logged out -> 303 /login?next=/welcome/edit;
login -> 303 back to /welcome/edit -> 200.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

lib/host/blog.sx

@@ -346,12 +346,24 @@
         (host/require-user resolve)
         (host/require-permission "edit" (fn (req) "blog")))
       h)))
+;; Browser variant: identical ACL gate, but an unauthenticated request REDIRECTS
+;; to the login page (host/require-login) rather than returning a raw JSON 401 —
+;; the form/edit pages are HTML, so a logged-out click should land on /login and
+;; return here afterwards.
+(define host/blog--protect-html
+  (fn (resolve h)
+    (host/pipeline
+      (list
+        host/wrap-errors
+        (host/require-login resolve)
+        (host/require-permission "edit" (fn (req) "blog")))
+      h)))
 (define host/blog-write-routes
   (fn (resolve)
     (list
-      (dream-post "/new" (host/blog--protect resolve host/blog-form-submit))
-      (dream-get "/:slug/edit" (host/blog--protect resolve host/blog-edit-form))
-      (dream-post "/:slug/edit" (host/blog--protect resolve host/blog-edit-submit))
+      (dream-post "/new" (host/blog--protect-html resolve host/blog-form-submit))
+      (dream-get "/:slug/edit" (host/blog--protect-html resolve host/blog-edit-form))
+      (dream-post "/:slug/edit" (host/blog--protect-html resolve host/blog-edit-submit))
       (dream-post "/posts" (host/blog--protect resolve host/blog-create))
       (dream-put "/posts/:slug" (host/blog--protect resolve host/blog-update-handler))
       (dream-delete "/posts/:slug" (host/blog--protect resolve host/blog-delete-handler)))))