proxy: add /ideas to protectedRoutes; verify demo-guard for /api/ideas (M12 T-501)

- proxy.ts: /ideas added to protectedRoutes — unauthenticated users get
  redirected to /login when navigating to /ideas or /ideas/[id]
- existing demo-guard catch-all (\`/api/* + non-GET\`) already blocks
  POST/PATCH/DELETE /api/ideas* with 403 — confirmed via 3 new tests
- server-action endpoints (start-grill / start-make-plan / materialize /
  promote-to-idea) carry their own \`session.isDemo\` checks inside
  actions/ideas.ts and actions/todos.ts (defense in depth)

Tests: 9/9 in proxy demo-guard suite (added 3 idea cases).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

__tests__/proxy/demo-guard.test.ts

@@ -30,6 +30,26 @@ beforeEach(() => {
 })
 
 describe('proxy demo-guard', () => {
+  it('demo + POST /api/ideas → 403 (M12)', async () => {
+    mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
+    const req = makeRequest('POST', '/api/ideas', true)
+    const res = await proxy(req)
+    expect(res?.status).toBe(403)
+  })
+
+  it('demo + PATCH /api/ideas/abc → 403 (M12)', async () => {
+    mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
+    const req = makeRequest('PATCH', '/api/ideas/abc', true)
+    const res = await proxy(req)
+    expect(res?.status).toBe(403)
+  })
+
+  it('demo + GET /api/ideas → passthrough (M12)', async () => {
+    const req = makeRequest('GET', '/api/ideas', true)
+    const res = await proxy(req)
+    expect(res?.status).not.toBe(403)
+  })
+
   it('demo + POST /api/todos → 403', async () => {
     mockUnsealData.mockResolvedValue({ userId: 'demo-user', isDemo: true })
     const req = makeRequest('POST', '/api/todos', true)