TASK-004: Bootstrap frontend auth state from backend session check

Validates session on app mount by calling GET /api/auth/session instead of relying
solely on cached sessionStorage. This ensures the UI state always reflects server
reality — expired or revoked sessions are detected immediately.

Changes:
- Backend: Add GET /api/auth/session endpoint (requires valid session, returns 200/401)
- Frontend: Add useSessionValidation hook for mount-time validation
- Frontend: Add SessionValidationLoading component for validation spinner
- Frontend: Update AuthProvider to call validation on mount with loading state
- Frontend: Add validateSession API function
- Docs: Update Features.md with session validation behavior
- Docs: Update Web-Development.md with session validation pattern

Handles three outcomes:
1. Valid session (200): Proceed with cached state
2. Invalid session (401): Clear sessionStorage and redirect to login
3. Network error: Don't logout (backend may be temporarily unreachable)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

frontend/src/components/SessionValidationLoading.tsx

@@ -0,0 +1,35 @@
+/**
+ * Session validation loading indicator.
+ *
+ * Displayed on app mount while the backend validates the session.
+ */
+
+import { makeStyles, Spinner } from "@fluentui/react-components";
+import React from "react";
+
+const useStyles = makeStyles({
+  container: {
+    display: "flex",
+    alignItems: "center",
+    justifyContent: "center",
+    height: "100vh",
+    width: "100%",
+    flexDirection: "column",
+    gap: "16px",
+  },
+});
+
+/**
+ * Loading indicator shown during session validation on app mount.
+ *
+ * @returns React element displaying a centered spinner and message.
+ */
+export function SessionValidationLoading(): React.JSX.Element {
+  const styles = useStyles();
+
+  return (
+    <div className={styles.container}>
+      <Spinner size="large" label="Validating session…" />
+    </div>
+  );
+}