wip: Phase 3 UAT in progress — 2/10 tests pass, upload XHR bug open

Fixes applied this session:
- frontend/src/api/client.js: noRefreshPaths exclusion prevents auth 401s
  from triggering session-expired error on login/register/refresh
- frontend/src/router/index.js: async beforeEach with silent refresh()
  restores session from httpOnly cookie on page reload

UAT state: 2 pass (cold-start, admin block), 1 open (XHR upload network error),
7 pending. MinIO PUT fails in browser — needs console output to diagnose.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/api/client.js

@@ -21,7 +21,10 @@ async function request(path, options = {}) {
   const res = await fetch(path, { ...options, headers, credentials: 'include' })
 
   // 401 → attempt refresh → retry once
-  if (res.status === 401 && !options._retry) {
+  // Skip refresh for auth endpoints: login/register return 401 for bad credentials (not expired tokens),
+  // and refresh itself must not retry to avoid an infinite loop.
+  const noRefreshPaths = ['/api/auth/login', '/api/auth/register', '/api/auth/refresh']
+  if (res.status === 401 && !options._retry && !noRefreshPaths.includes(path)) {
     try {
       await authStore.refresh()
       return request(path, { ...options, _retry: true })