refactor: consolidate project structure by migrating authentication, identity, and shared UI components while removing legacy Web Client files.

src/NexusReader.Application/Security/Authorization/ProUserHandler.cs

@@ -0,0 +1,47 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using NexusReader.Domain.Entities;
+
+namespace NexusReader.Application.Security.Authorization;
+
+public class ProUserHandler : AuthorizationHandler<ProUserRequirement>
+{
+    private readonly UserManager<NexusUser> _userManager;
+
+    public ProUserHandler(UserManager<NexusUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    protected override async Task HandleRequirementAsync(
+        AuthorizationHandlerContext context,
+        ProUserRequirement requirement)
+    {
+        var userId = context.User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrEmpty(userId))
+        {
+            return;
+        }
+
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+        {
+            return;
+        }
+
+        // Rule 1: Explicit Pro plan
+        if (user.CurrentPlan == "Pro")
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
+        // Rule 2: Within Token Limits (SaaS logic)
+        if (user.AITokensUsed < user.AITokenLimit)
+        {
+            context.Succeed(requirement);
+            return;
+        }
+    }
+}