fix(auth): cookie lifetime now matches the JWT exp, not a stale 8h fallback

revert(auth): drop OAuth popup flow, restore plain new-tab login

feat(auth): sign-out button in the editor topbar

feat(auth): OAuth popup window instead of full-tab redirect

fix(auth): use roleInOrg from whoami, drop broken members API

refactor(backend): modular server split with new routes, persistence and agent layer

fix: XSS escaping, DRY utils, agent undo batch, graceful shutdown

feat: implement proper HF OAuth flow

fix: auth flow for publish and write access check

feat: add HF OAuth authentication middleware