fix(auth): redirect to original URL after login

Pass current path as ?next= when bouncing unauthenticated requests
to /echo/login; after successful auth, JS reads and validates the
param (must start with /echo/, not /echo/login) before redirecting.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

dashboard/api.py

@@ -10,6 +10,7 @@ import os
 import sys
 from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
 from pathlib import Path
+from urllib.parse import quote as _urlquote
 
 # Make dashboard/ importable for the handler submodules (constants,
 # habits_helpers, handlers.*). Tests rely on this as well.
@@ -284,7 +285,8 @@ class TaskBoardHandler(
                 if fpath.is_file():
                     if fpath.name != 'login.html' and not self._check_dashboard_cookie():
                         self.send_response(302)
-                        self.send_header('Location', '/echo/login')
+                        next_param = _urlquote(self.path, safe='/?=&#')
+                        self.send_header('Location', f'/echo/login?next={next_param}')
                         self.send_header('Content-Length', '0')
                         self.end_headers()
                         return