[AZ-510] Auth bootstrap: POST refresh + chained /users/me

Replace the broken `GET /api/admin/auth/refresh` (no `credentials:'include'`)
mount-time bootstrap with `POST /api/admin/auth/refresh` (with credentials)
chained to `GET /api/admin/users/me`. Returning users with a valid HttpOnly
refresh cookie no longer flash through `/login`. Closes Finding B3 / Vision P3.

- Add module-scoped `bootstrapInflight` guard (StrictMode double-mount safety)
  + test-only reset hook exported via the `src/auth` barrel; `tests/setup.ts`
  resets it in `afterEach` to prevent pending-promise leakage between tests.
- Defensive `hasPermission` against legacy `/users/me` payloads omitting
  `permissions`; default MSW handler now seeds `permissions` explicitly.
- Add `endpoints.admin.usersMe()` builder (STC-ARCH-02 forbids the literal).
- Bulk-swap 15 test files from `http.get` -> `http.post` for the refresh
  override so intentional bootstrap-fail tests still fail correctly.
- Update auth component description; mark B3 closed.
- Code review verdict PASS; static + fast suites green (231 / 13 skipped).

Batch report: _docs/03_implementation/batch_13_cycle3_report.md

Co-authored-by: Cursor <cursoragent@cursor.com>

src/api/endpoints.ts

@@ -23,6 +23,11 @@ export const endpoints = {
     authLogin: () => '/api/admin/auth/login',
     authLogout: () => '/api/admin/auth/logout',
     users: () => '/api/admin/users',
+    // AZ-510 — chained from POST authRefresh() during AuthProvider bootstrap
+    // (the POST refresh response is `{ token }` only; the user shape comes
+    // from this GET). Keeps `01_api-transport` as the single source of truth
+    // for `/api/admin/...` literals (STC-ARCH-02).
+    usersMe: () => '/api/admin/users/me',
     user: (id: string) => `/api/admin/users/${id}`,
     classes: () => '/api/admin/classes',
     // DetectionClass.id is `number` in the type system; widened to accept