enforce backend auth truth and prevent stale sessions

[indresh404]

Summary

Adds backend-backed auth session validation to prevent stale or mismatched authenticated states in the client.

This PR introduces a new /api/auth/me endpoint to verify session-user mapping, adds startup auth validation with automatic sign-out for invalid sessions, improves GitHub account token lookup reliability, and adds reload buttons for better recovery UX.

Closes #348

Type of Change

• Bug fix
• New feature
• Documentation update
• Refactor / code cleanup

Changes Made

• Added /api/auth/me endpoint to validate authenticated sessions against backend user records
• Ensures invalid or missing user mappings return proper 401 / 404 responses
• Added AuthSessionValidator component for startup auth verification
• Mounted validator globally in providers.tsx
• Automatically signs out users with stale or invalid auth sessions
• Replaced brittle .single() usage with .maybeSingle() in GitHub account token lookup
• Reduced PGRST116-style cascading failures from missing user rows
• Added reload buttons for easier recovery and improved user experience during auth/data mismatch states

How to Test

Steps for the reviewer to verify this works:

1. Sign in normally and verify authenticated flows still work
2. Delete or invalidate the corresponding backend user record/session mapping
3. Refresh the application
4. Verify the client automatically signs out instead of remaining falsely authenticated
5. Verify /api/auth/me returns proper 401 or 404 responses for invalid states
6. Test GitHub account token retrieval and confirm missing rows no longer throw .single() errors
7. Verify reload buttons properly refresh/recover affected UI states

Checklist

• Linked issue in summary
• npm run lint passes locally
• No TypeScript errors (npm run type-check)
• Self-reviewed the diff
• Added/updated tests if applicable

[vercel]

@indresh404 is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[Priyanshu-byte-coder]

1. 401 → 404 regression — when !session.githubId the missing GitHub ID is an auth problem, not a missing resource. Keep 401. Returning 404 is semantically wrong and will confuse API consumers.

2. signOut() fires on network errors — AuthSessionValidator calls signOut() in the catch block unconditionally. A transient network timeout will log users out. Only call signOut() on HTTP 401/404 responses, not on fetch exceptions.

3. Duplicated GitHubApiError class — the same class and helper are copy-pasted identically into 4 route files. Extract into src/lib/github-error.ts and import.