Fix: allow script.js to load without auth for embedded sites (Shopify)

- Add /script.js to PUBLIC_ROUTES in middleware
- Fixes 307 redirect to /login when tracking script loads from third-party sites

Co-authored-by: Cursor <cursoragent@cursor.com>

middleware.ts

@@ -12,6 +12,7 @@ const PUBLIC_ROUTES = new Set([
   '/faq',
   '/changelog',
   '/installation',
+  '/script.js', // * Tracking script – must load without auth for embedded sites (Shopify, etc.)
 ])
 
 const PUBLIC_PREFIXES = [