Expand server auth coverage with end-to-end unit scenarios for token, network, and invite flows

[Copilot]

This PR addresses low test coverage in the server auth domain by adding focused tests for high-risk, previously under-covered behavior in server/src/auth.ts. The new suite exercises core lifecycle paths and permission boundaries that were not covered by existing token/password dictionary tests.

• Coverage focus: auth workflow surface

  • Added server/src/auth-workflows.test.ts to cover real auth lifecycles instead of isolated helpers.
  • Targets login/session token behavior, network ownership/quotas, invite semantics, and password reset paths.

• Token and login lifecycle

  • Covers bootstrap admin registration contracts (first-user behavior, default network ownership).
  • Verifies login token issuance and resolveToken behavior, including metadata (tokenName, networkId) and last_used_at updates.
  • Adds revoke semantics (revokeToken, revokeOtherUserTokens) and multi-token user session behavior.

• Authorization and network boundaries

  • Adds tests for network quota enforcement and duplicate network naming constraints.
  • Verifies permission gates for viewer/member roles on token creation and node-scoped network tokens.
  • Covers rename/delete ownership checks and delete blocking when active sessions exist.

• Password and admin reset flow

  • Exercises changePassword failure and success paths (weak password rejection, old password mismatch, token revocation on success).
  • Covers resetUserPassword admin-only enforcement, credential rotation, and audit log emission.

• Invite and membership edge cases

  • Tests invalid invite roles, invalid codes, usage limits, and expiry handling.
  • Covers member lifecycle constraints: duplicate add, disallowed owner reassignment, owner removal protection, and non-member removal handling.

const loginResult = login("alice", "StrongPw123");
const resolved = resolveToken(loginResult.token!);

expect(resolved?.user.username).toBe("alice");
expect(resolved?.tokenName).toBe("user-login");
expect(resolved?.networkId).toBe(null);