fix(auth): bypass auth guard for static assets and favicon

Prevents redirect loop when backend is down — login page CSS/JS
would otherwise be redirected to /login.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/hooks.server.ts

@@ -4,7 +4,12 @@ import { apiClient } from '$lib/server/api';
 
 const PUBLIC_ROUTES = ['/login', '/register', '/invite'];
 
+const STATIC_PREFIXES = ['/_app/', '/favicon'];
+
 function isPublicRoute(pathname: string): boolean {
+	if (STATIC_PREFIXES.some((prefix) => pathname.startsWith(prefix))) {
+		return true;
+	}
 	return PUBLIC_ROUTES.some((route) => pathname === route || pathname.startsWith(route + '/'));
 }