fix: guard api token refresh retries

[rohitmulani63-ops]

Summary

Adds guarded API token refresh handling so concurrent 401 responses share one refresh request, retry the original request once with the refreshed token, and clear local auth state when refresh fails.

Closes #2

Changes

• Added a single-flight refresh guard around /auth/refresh.
• Retries the original request once after a successful refresh while preserving method, headers, and body.
• Avoids refresh loops when the refresh endpoint itself returns 401/403.
• Clears stored auth state when refresh fails.
• Added an executable refresh fixture for concurrent 401s, successful retry, and failed-refresh cleanup.

Testing

• npm ci
• npm run build
• Bundled and ran frontend/src/services/api.refresh.fixture.ts with esbuild and Node
• PYTHONUTF8=1 PYTHONIOENCODING=utf-8 python build.py

Notes:

• npm run build passed.
• The refresh fixture passed.
• build.py produced diagnostic/build-2b54872c.json.
• build.py could not create the matching .logd locally because tools/encryptly/windows-x64/encryptly.exe pack returned a non-zero exit and did not write a .logd, including on a tiny probe folder.
• The multi-language build also reports missing local toolchains on this Windows machine: cargo, go, gcc/g++, cmake, make, ruby, luac, and ghc.

Checklist

• Relevant modules affected by these changes build locally
• Tests pass locally
• Diagnostic build metadata is committed in this PR; encrypted .logd generation was attempted and the local failure is noted above
• Documentation has been updated, if applicable
• Configuration or schema changes are documented, if applicable
• No generated build artifacts are committed, except the required diagnostic build metadata
• Changes are scoped to the PR purpose and avoid unrelated cleanup
• Security, privacy, and error-handling implications have been considered

---

• I would like to request that my diagnostic build metadata is removed before merging