Move auth flow out of Login.svelte component

[rendall]

Summary

This PR completes Priority 5: the frontend auth-service extraction and cleanup.

The main outcome is that auth behavior now lives behind a widget-scoped authService, while Svelte components receive explicit authService and currentUser props instead of coordinating through the old global relay stores.

What Changed

• Added src/lib/auth-service.ts as the frontend auth command/runtime boundary.
• Moved auth command ownership into auth-service for initial verification, login, logout, signup, guest login, guest profile update, auth request/outcome handling, and persistence integration.
• Added src/lib/auth-persistence.ts so simple_comment_user session/guest persistence is no longer owned by Login.svelte.
• Rewired Login.svelte to delegate auth commands to authService while keeping form-local validation, status rendering, selected-tab UI, and simple_comment_login_tab persistence local to the component.
• Rewired CommentInput.svelte to request login through authService instead of dispatchableStore / loginStateStore relay events.
• Rewired SelfDisplay.svelte to observe logout availability from authService and call authService.logout() directly.
• Rewired SimpleComment.svelte as the composition root that creates the widget-scoped authService, subscribes to authService.currentUser, and passes explicit props down to auth-aware children.
• Deleted the obsolete relay/store modules after migration: src/lib/auth-store-bridge.ts and src/lib/svelte-stores.ts.
• Added first-class Svelte component test coverage for the auth-service integration path.
• Archived completed Priority 5 plans/checklists and recorded the final architecture decision in docs/archive/Priority5Completion.md.

Architecture Decision

Priority 5 intentionally stops at a narrow, explicit architecture:

• auth-service.ts owns auth behavior and auth runtime state.
• SimpleComment.svelte owns widget composition and the top-level currentUser subscription.
• Components that need auth behavior receive authService explicitly.
• Components that only need identity display receive currentUser explicitly.
• No replacement event bus, singleton auth service, broad auth controller, AuthRuntime.svelte, or speculative global auth store is introduced.

A thin service-backed store remains a possible future option only if concrete prop-threading or shared-derived-state pressure appears later.

Why

The earlier auth path coupled login, comment submission, self display, local persistence, and runtime auth state through Login.svelte plus global relay stores. That made incremental extraction fragile and created churn around broader architecture proposals.

This PR keeps the extraction narrow and reversible: auth side effects move into authService, while the component tree keeps explicit ownership and data flow.

Validation

• yarn run ci:local passed on 2026-04-29.
• ci:local includes dependency install with frozen lockfile, lint, prettier check, frontend/backend typecheck, backend/frontend build, backend Jest tests, frontend Jest tests, and Svelte component Vitest tests.
• Latest local component test result: 5 component test files passed, 24 tests passed.
• Latest local frontend unit test result: 14 test suites passed, 176 tests passed.
• Latest local backend test result: 11 test suites passed, 180 tests passed.

Notes And Scope Boundaries

• Cypress infrastructure/bootstrap was updated on this branch, including the Svelte client-entry resolution fix needed for component mounting and the ELECTRON_RUN_AS_NODE reset for local Cypress execution.
• Cypress behavioral regressions discovered during the side quest are intentionally not fixed in this PR; they were treated as out of scope for Priority 5 completion.
• Splitting Login.svelte into child form components, adding auth-controller.ts, adding AuthRuntime.svelte, or redesigning frontend state architecture remains explicitly out of scope.