feat(api): add protected GET /api/me and full auth round-trip test

apps/api/test/me.test.ts

@@ -0,0 +1,36 @@
+import { describe, it, expect } from 'vitest';
+import { createApp } from '../src/app';
+
+const json = { 'content-type': 'application/json' };
+
+describe('GET /api/me', () => {
+  it('rejects an unauthenticated request', async () => {
+    const app = createApp();
+    const res = await app.request('/api/me');
+    expect(res.status).toBe(401);
+  });
+
+  it('returns the user for a valid bearer token (sign-up -> sign-in -> me)', async () => {
+    const app = createApp();
+    const creds = { email: 'me@example.com', password: 'sterk-wachtwoord-123', name: 'Me' };
+
+    await app.request('/api/auth/sign-up/email', {
+      method: 'POST',
+      headers: json,
+      body: JSON.stringify(creds),
+    });
+    const signin = await app.request('/api/auth/sign-in/email', {
+      method: 'POST',
+      headers: json,
+      body: JSON.stringify({ email: creds.email, password: creds.password }),
+    });
+    const token = signin.headers.get('set-auth-token');
+
+    const res = await app.request('/api/me', {
+      headers: { authorization: `Bearer ${token}` },
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.user.email).toBe(creds.email);
+  });
+});