Register JwtAuthGuard (extended with @Public() support) via the APP_GUARD token so it is managed by the DI container and can inject Reflector. All routes are protected by default. Mark public routes with a @Public() decorator that sets isPublic metadata — the guard reads this and bypasses Passport for those routes.
APP_GUARD registers the guard inside the DI container — can inject Reflector, ConfigService, and others.
app.useGlobalGuards() registers outside DI — cannot inject any services, including Reflector.
The @Public() pattern is safer than whitelisting — all routes are secure by default, opt out explicitly.
@Public() can be applied at class level to make all routes in a controller public.
Multiple APP_GUARD providers can be registered — they run in registration order (global → controller → method).