refactor: consolidate project structure by migrating authentication, identity, and shared UI components while removing legacy Web Client files.

src/NexusReader.Application/Abstractions/Services/INativeStorageService.cs

@@ -9,4 +9,8 @@ public interface INativeStorageService
     Result SaveBool(string key, bool value);
     Result<bool> GetBool(string key, bool defaultValue = false);
     Result Remove(string key);
+    
+    Task<Result> SaveSecureString(string key, string value);
+    Task<Result<string?>> GetSecureString(string key);
+    Result RemoveSecure(string key);
 }

src/NexusReader.Application/NexusReader.Application.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <ItemGroup>
     <ProjectReference Include="..\NexusReader.Domain\NexusReader.Domain.csproj" />
@@ -9,6 +9,8 @@
     <PackageReference Include="Mapster" Version="10.0.7" />
     <PackageReference Include="Mapster.DependencyInjection" Version="10.0.7" />
     <PackageReference Include="MediatR" Version="12.1.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="10.0.7" />
+    <PackageReference Include="Microsoft.Extensions.Identity.Core" Version="10.0.7" />
   </ItemGroup>
 
   <PropertyGroup>

src/NexusReader.Application/Security/Authorization/ProUserHandler.cs

@@ -0,0 +1,47 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using NexusReader.Domain.Entities;
+
+namespace NexusReader.Application.Security.Authorization;
+
+public class ProUserHandler : AuthorizationHandler<ProUserRequirement>
+{
+    private readonly UserManager<NexusUser> _userManager;
+
+    public ProUserHandler(UserManager<NexusUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    protected override async Task HandleRequirementAsync(
+        AuthorizationHandlerContext context,
+        ProUserRequirement requirement)
+    {
+        var userId = context.User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrEmpty(userId))
+        {
+            return;
+        }
+
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+        {
+            return;
+        }
+
+        // Rule 1: Explicit Pro plan
+        if (user.CurrentPlan == "Pro")
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
+        // Rule 2: Within Token Limits (SaaS logic)
+        if (user.AITokensUsed < user.AITokenLimit)
+        {
+            context.Succeed(requirement);
+            return;
+        }
+    }
+}

src/NexusReader.Application/Security/Authorization/ProUserRequirement.cs

@@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace NexusReader.Application.Security.Authorization;
+
+/// <summary>
+/// Requirement for users with active "Pro" subscriptions or sufficient AI tokens.
+/// </summary>
+public class ProUserRequirement : IAuthorizationRequirement
+{
+}