phase 7: auth flow UI (email-code login + session resume + revocation)

Implements ui/PLAN.md Phase 7 end-to-end:

- /login two-step form (email -> code) over the gateway public REST
  surface; /lobby placeholder issues the first authenticated
  user.account.get and renders the decoded display name.
- SessionStore (Svelte 5 runes) with loading / unsupported / anonymous /
  authenticated states; layout-level route guard, browser-not-supported
  blocker, and a minimal SubscribeEvents revocation watcher that closes
  the active client within 1s on a clean stream end or
  Unauthenticated.
- VITE_GATEWAY_BASE_URL + VITE_GATEWAY_RESPONSE_PUBLIC_KEY config plus
  AuthError taxonomy in api/auth.ts.
- Vitest (auth-api, session-store, login-page) and Playwright e2e
  (auth-flow.spec.ts) on the four configured projects, with a fixture
  Ed25519 keypair forging Connect-Web JSON responses.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

ui/frontend/.env.example

@@ -0,0 +1,18 @@
+# Vite reads any variable prefixed with `VITE_` and exposes it on
+# `import.meta.env`. Copy this file to `.env.local` (gitignored) and
+# fill in the values before running `pnpm run dev` or `pnpm exec
+# playwright test` against a real gateway.
+
+# Base URL of the gateway public REST surface and Connect-Web edge
+# listener. Both surfaces share the same host and port. Defaults to
+# the local dev address used by `tools/local-ci` and the Go-side
+# integration suite.
+VITE_GATEWAY_BASE_URL=http://localhost:8080
+
+# Standard (non-URL-safe) base64 of the gateway's raw 32-byte
+# Ed25519 response-signing public key. Required only for
+# authenticated unary calls; unauthenticated routes (`/login`)
+# work without it. For local dev, take the value the gateway
+# integration container exports as `ResponseSignerPublic` (see
+# `integration/testenv/gateway.go`).
+VITE_GATEWAY_RESPONSE_PUBLIC_KEY=