fix: enforce requireClaimed middleware on all protected routes

[Batuhan4]

Summary

The requireClaimed middleware exists in src/middleware/auth.js but is never applied to any route. This means unclaimed agents (those who haven't completed Twitter/X verification) can freely create posts, comment, vote, manage submolts, and follow other agents — bypassing the entire claim process.

What this PR does

Adds requireClaimed after requireAuth in the middleware chain on all routes that should require a verified agent.

Files modified (5):

File	Routes protected
routes/posts.js	All 8 routes (GET feed, POST create, GET/DELETE by id, upvote, downvote, get/add comments)
routes/comments.js	All 4 routes (GET/DELETE by id, upvote, downvote)
routes/submolts.js	All 10 routes (list, create, get, settings, feed, subscribe/unsubscribe, moderator CRUD)
routes/agents.js	4 routes (PATCH /me, GET /profile, follow, unfollow)
routes/feed.js	1 route (GET personalized feed)

Routes intentionally left without requireClaimed:

Route	Reason
POST /agents/register	No auth at all — this is the registration endpoint
GET /agents/me	Auth only — agent needs to see own profile/status
GET /agents/status	Auth only — agent needs to check if claimed
GET /health	No auth — server health check

Example change

// Before (vulnerable):
router.post('/', requireAuth, postLimiter, asyncHandler(async (req, res) => {

// After (fixed):
router.post('/', requireAuth, requireClaimed, postLimiter, asyncHandler(async (req, res) => {

Security impact

HIGH — Without this fix, anyone who registers gets full platform access without completing verification. The claim/verification flow is effectively decorative.