🐛 fix(auth): enable automatic token refresh across all web apps

Users were getting signed out after ~15 minutes because API clients were
reading tokens directly from localStorage without triggering the refresh
logic. The tokenManager exists with proper refresh capability but was
never being used.

Changes:
- Add getValidToken() method to auth stores in 9 web apps
- Update API clients to use authStore.getValidToken() instead of localStorage
- Token refresh now happens proactively before requests fail

Apps updated: chat, calendar, picture, zitare, contacts, todo, clock, manacore, manadeck

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

apps/clock/apps/web/src/lib/stores/auth.svelte.ts

@@ -33,6 +33,13 @@ function getAuthService() {
 	return _authService;
 }
 
+function getTokenManager() {
+	if (!browser) return null;
+	// Ensure auth service is initialized first
+	getAuthService();
+	return _tokenManager;
+}
+
 // State
 let user = $state<UserData | null>(null);
 let loading = $state(true);
@@ -183,7 +190,8 @@ export const authStore = {
 	},
 
 	/**
-	 * Get access token for API calls
+	 * Get access token for API calls (raw token, no refresh)
+	 * @deprecated Use getValidToken() instead for automatic refresh
 	 */
 	async getAccessToken() {
 		const authService = getAuthService();
@@ -192,4 +200,16 @@ export const authStore = {
 		}
 		return await authService.getAppToken();
 	},
+
+	/**
+	 * Get a valid access token for API calls
+	 * Automatically refreshes if the token is expired or about to expire
+	 */
+	async getValidToken(): Promise<string | null> {
+		const tokenManager = getTokenManager();
+		if (!tokenManager) {
+			return null;
+		}
+		return await tokenManager.getValidToken();
+	},
 };