refactor(spx-gui): remove jwt-decode and drop local cached username assumptions

[cn0809]

Summary

This PR removes reliance on locally cached username hints and tightens how signed-in state is resolved, scoped, and consumed across the app.

Main changes

• Remove the cached username field from local auth state and stop eagerly validating sign-in by fetching the signed-in user during token-based sign-in.
• Add auth-session scoping for signed-in user queries so stale async results and cached data do not leak across sign-in/sign-out transitions.
• Make sign-out/session handling safer for guest/public requests by avoiding unnecessary auth-scope bumps when no local auth state exists.
• Refactor user-scoped storage utilities to accept an explicit resolved scope instead of deriving it from auth internals.
• Update Copilot and tutorial session persistence to wait for resolved signed-in state before binding storage, preventing startup-time scope mismatches.
• Replace synchronous “own editor route” username resolution with a dedicated editor entry page that redirects after signed-in state is resolved.
• Switch following/liking cache keys from unresolved local username hints to canonical signed-in user data.
• Move editor UI preferences such as font size and sidebar width to browser-scoped local storage, with compatibility handling for legacy user-scoped values.
• Add regression tests for signed-in user query scoping and guest-session token resolution behavior.

[gemini-code-assist]

Code Review

This pull request refactors the authentication flow to rely on canonical, backend-confirmed user data instead of synchronously decoding the username from the JWT access token. It removes the jwt-decode dependency, updates the stores (following, liking, and user) to use the fetched user data, and adds TODOs for future routing and storage improvements. The review feedback highlights a critical robustness issue: if the asynchronous username synchronization fails during sign-in, the application could be left in a corrupted state where it appears signed in but lacks valid user data. It is recommended to wrap these synchronization calls in try-catch blocks to trigger a sign-out and clean up the state upon failure.

[fennoai]

Code Review Summary

This refactor correctly eliminates fragile client-side JWT claim extraction and moves username resolution to a backend-authoritative path. The core direction is sound. A few issues worth addressing:

Highlights:

• signInWithAccessToken is now properly async and awaited — the missing await in the prior code was a real bug
• useModifySignedInUsername now fetches canonical identity before cache invalidation — correct
• following.ts / liking.ts migration to useSignedInUser() is clean
• Typo fixes (known, access) are appreciated

Issues noted inline below.