alvis
a0a069c525
The middleware was redirecting non-admins to /forbidden but /forbidden wasn't excluded from the matcher, so the middleware ran again on that page, saw a non-admin, and redirected again — infinite loop. Added /forbidden to the pass-through list alongside /login. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>