fix(api): correlation ID survives HMR; fix endpoint template literal typos

- client.ts: store correlation ID in sessionStorage so HMR (module re-eval)
  does not generate a new ID mid-session; add clearSessionCorrelationId()
- endpoints.ts: fix 3 template literal trailing-quote bugs (missing ')' chars);
  replace template literals with string concat for encodeURIComponent calls
- AuthProvider.tsx: call clearSessionCorrelationId() on logout
- App.tsx: reorder ThemeProvider import before AuthProvider per PROVIDER_ORDER.md;
  indent Routes inside AuthProvider to match expected tree structure
- Tasks.md: update task status
- providerTreeOrder.test.tsx: add integration tests for provider nesting order

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

frontend/src/providers/AuthProvider.tsx

@@ -56,7 +56,7 @@ import React, {
 } from "react";
 import { useNavigate } from "react-router-dom";
 import * as authApi from "../api/auth";
-import { setUnauthorizedHandler, resetLogoutState } from "../api/client";
+import { setUnauthorizedHandler, resetLogoutState, clearSessionCorrelationId } from "../api/client";
 import { setAuthErrorHandler, resetLogoutState as resetFetchErrorLogoutState } from "../utils/fetchError";
 import { STORAGE_KEY_AUTHENTICATED } from "../utils/constants";
 import { SessionValidationLoading } from "../components/SessionValidationLoading";
@@ -215,6 +215,7 @@ export function AuthProvider({
       // Always clear local state even if the API call fails (e.g. expired session).
       sessionStorage.removeItem(STORAGE_KEY_AUTHENTICATED);
       setIsAuthenticated(false);
+      clearSessionCorrelationId();
 
       // Broadcast logout event to other tabs for immediate sync
       try {