feat: add SPA Blade shell and catch-all route

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

resources/views/app.blade.php

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <title>FuelAlert</title>
+    @vite(['resources/css/app.css', 'resources/js/app.js'])
+</head>
+<body class="bg-[#f5ede5]">
+    <div id="app"></div>
+</body>
+</html>

routes/web.php

@@ -7,3 +7,6 @@ Route::middleware(['auth', 'verified'])->group(function (): void {
 });
 
 require __DIR__.'/settings.php';
+
+// SPA catch-all — must be last
+Route::get('/{any}', fn () => view('app'))->where('any', '.*')->name('spa');

tests/Feature/SpaRouteTest.php

@@ -0,0 +1,23 @@
+<?php
+
+it('serves the spa shell for the root path', function (): void {
+    $response = $this->get('/');
+
+    $response->assertStatus(200);
+    $response->assertSee('<div id="app">', false);
+});
+
+it('serves the spa shell for unknown frontend paths', function (): void {
+    $response = $this->get('/some/frontend/route');
+
+    $response->assertStatus(200);
+    $response->assertSee('<div id="app">', false);
+});
+
+it('does not intercept api routes', function (): void {
+    $response = $this->get('/api/stations');
+
+    // API route handles it (403 from missing key, not SPA HTML)
+    $response->assertStatus(403);
+    $response->assertJson(['message' => '']);
+});