reqSignIn sends a 303 redirect which breaks WebSocket upgrade; use the
same pattern as /user/events: register the route without middleware and
return 401 inside the handler when the user is not signed in.
Also fix copyright year to 2026 in all three new Go files and add a
console.warn for malformed JSON in the SharedWorker.
b47686ce32