Protect Dashboard Routes from Unauthenticated Users

Add route protection to this app so that any page under /dashboard or /app redirects to /login if the user does not have an active Supabase session. Implement a route guard that runs on every navigation: first check for a valid session using Supabase's getSession, and while that check is in progress show a centered loading spinner so the user does not see a flash of the protected page. If no session exists, redirect to /login and append a "redirect" query parameter containing the original URL (e.g., /login?redirect=/dashboard/settings). After the user logs in successfully, read that redirect parameter and send them to the page they originally tried to reach rather than always defaulting to /dashboard. Wrap all protected layout components in this guard so new pages inherit protection automatically.