fix ThemeHook gate to validate session token not just presence

Check socket.assigns.current_scope (validated by mount_current_scope)
instead of raw session token. Prevents stale/invalid session cookies
from bypassing the site-live gate.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

test/simpleshop_theme_web/live/shop/coming_soon_test.exs

@@ -56,6 +56,16 @@ defmodule SimpleshopThemeWeb.Shop.ComingSoonTest do
       assert {:error, {:redirect, %{to: "/users/register"}}} = live(conn, ~p"/")
     end
 
+    test "redirects when session token is stale (user deleted)", %{conn: conn} do
+      user = user_fixture()
+      conn = log_in_user(conn, user)
+
+      # Delete the user — session cookie is now stale
+      SimpleshopTheme.Repo.delete!(user)
+
+      assert {:error, {:redirect, %{to: "/users/register"}}} = live(conn, ~p"/")
+    end
+
     test "gates all public shop routes", %{conn: conn} do
       user_fixture()