refactor(las): Phoenix-style auth with Pipeline and scopes
- Add Auth.require_authenticated as proper Plug.t
- Organize routes into scopes: browser, public, auth-protected
- Change Route.plug signature to plug-first for |> piping
- Apply negotiate plug to browser scope, auth plug to protected scope
- Per-route plugs for rate limiting on login/register/submit