Title: Integration: automatic refresh on 401

Branch: 35-int/refresh-flow-naasir

Description:

• Keep refresh token in memory/localStorage (as per your FE policy).
• On 401 from protected call, call /auth/refresh; update access; retry once.
• If refresh fails → logout + redirect to login.

Acceptance:

• Expired access transparently refreshes; infinite loops avoided.

Depends on: API client & auth interceptor