Client #67: Keycloak auth user display

[FadyGergesRezk]

Why

The app had no authenticated user context — the sidebar showed no user info, logout was missing, and the Keycloak init pattern blocked React from mounting, causing a flash of the error page on login/logout redirects.

What changed

• Auth gating (AuthenticatedApp, auth-bootstrap.ts): replaces the old keycloak.init().then() bootstrap in main.tsx with a React component that guards rendering, handles StrictMode double-invocation via didInitRef, wraps init in a 15s timeout, and shows typed error states (network / config / timeout / unknown)
• Splash screen (index.html): CSS spinner rendered before JS loads to eliminate the blank-page flash during bundle download
• Silent SSO (public/silent-check-sso.html): required redirect page for Keycloak's check-sso iframe flow
• User display (AppShell, useAuth, AuthUser): sidebar footer now shows avatar initial, display name, and email from the Keycloak token; logout redirects to origin
• shadcn components: added Alert, Avatar, DropdownMenu
• Theme toggle: adds system/monitor icon for the third theme state
• Tests: 23 unit tests covering all auth states, StrictMode re-registration, token expiry, and error classification

Notes

• Profile, Settings, and Help menu items are intentionally disabled — routes don't exist yet
• The pre-commit hook had a bug where git add web-client re-staged all unstaged files after lint; fixed to only re-stage files lint actually modified

Testing

• All 23 tests pass (pnpm test)
• pnpm build passes
• Manually verified user name/email appear in sidebar, logout works, error states render correctly

Closes #67

[raphael-frank]

lgtm! I fixed a small issue in the redirect that prevented me from local deploy.