Add guarded API token refresh handling

[qingfeng312]

Summary

Implements guarded API token refresh in frontend/src/services/api.ts so concurrent 401 responses share one refresh request, callers retry once with fresh credentials, and failed refreshes clear local auth state with a typed authentication error.

/claim #2
Closes #2

Changes

• Added a single-flight refresh guard around /auth/refresh.
• Re-applies request interceptors for the retry so the original method, custom headers, body, and latest token are preserved.
• Updates both tot_auth_tokens and legacy auth_token/refresh_token storage keys after refresh.
• Clears auth storage and surfaces a 401 AuthenticationError when refresh is rejected.
• Prevents refresh endpoint 401s from recursively starting another refresh.
• Added an executable mocked-fetch validation fixture for concurrent 401s, POST retry preservation, refresh failure, and refresh-endpoint loop prevention.
• Includes the generated diagnostic JSON from python3 build.py; no encrypted .logd artifact was produced locally.

Testing

• node frontend/src/services/api_refresh.validation.mjs
• cd frontend && npm run build
• git diff --check
• python3 build.py generated diagnostic/build-2b54872c.json; frontend and v2-market-stream passed, while backend/market/engine/compliance/nfc/openapi modules failed locally because required toolchains or platform-specific build support were unavailable (cargo, go, cmake, Java runtime, luac, ghc, and macOS MAP_HUGETLB).

Checklist

• Relevant modules affected by these changes build locally
• Tests pass locally
• Diagnostic build JSON is committed in this PR
• Diagnostic .logd artifact is committed in this PR. It was not created by the local build run; the included diagnostic JSON records the failure.
• Changes are scoped to the PR purpose and avoid unrelated cleanup
• Security, privacy, and error-handling implications have been considered