UX-913: silently refresh embedded auth on stale tabs

[malinskibeniamin]

What

• add a shared Connect token refresh interceptor plus shared embedded auth error notification helpers
• route embedded Connect transports through the configured fetch path so MF v1 hosts can recover stale bearer tokens through their existing authenticated fetch
• wire MF v2 TokenManager refresh handling into setup-created clients, router/root transports, AI Gateway transports, and controlplane transports
• prewarm embedded auth on focus / visibilitychange so stale tabs refresh before refetches surface rendering errors
• add targeted unit and integration coverage for the shared refresh flow, MF v1 fetch usage, MF v2 prewarm, and hook transports

Why

When an embedded Console tab sits stale long enough for its bearer token to expire, coming back to it can trigger unauthenticated failures and confusing frontend stack traces. This change makes stale-tab recovery silent when possible and falls back to the existing embedded re-auth handoff when it is not.

How

• extract createTokenRefreshInterceptor() into a shared utility and distribute it through a small context/registry layer
• in MF v2, build the interceptor from TokenManager.refresh() and register/provide it anywhere embedded Connect transports are created
• in MF v1, keep the current host API intact and make the embedded Connect transports use config.fetch so host-provided authenticated fetch implementations can refresh/retry requests
• add a debounced embedded auth prewarm hook that refreshes auth/user state and invalidates active queries/router state after the tab becomes active again
• centralize embedded auth failure signaling through console:auth-error

Acceptance Criteria

• stale embedded bearer tokens are silently refreshed before retrying Connect requests
• stale-tab recovery works for both module federation v1 and module federation v2
• AI Gateway, controlplane, and setup-created shared clients use the same recovery behavior
• users no longer hit raw rendering errors / stack traces during a recoverable stale-token flow
• unrecoverable refresh failures still hand off cleanly to the existing embedded re-login flow
• no required host-facing API changes were introduced