Return false on unknown errors after retries and expire the active
session on confirmed auth failures so imported-token flows don't
remain in an "invalid but authenticated" state. Restore undefined
authUser during provider bootstrap to preserve the prior contract.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

createAuth.initialize() previously set initialized=true before awaiting
loadAuthState(), so the provider's first getState() snapshot reported
initialized=true with empty sessions and authUser collapsed to null
during the hydration window. Flip the flag only after loadAuthState
resolves so consumers relying on undefined-during-bootstrap (e.g.
dashboard-react's legacy token clearing at sdkAuthUser === null) see
the correct transition.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Replace the manual useState + useEffect + catch-up setState pattern
with useSyncExternalStore, the React 18+ primitive designed for
external mutable stores. This eliminates the subscribe/notify race
on mount, prevents tearing under concurrent rendering, and provides
a proper SSR snapshot path.

To satisfy useSyncExternalStore's referential-stability contract,
createAuth() now caches the current AuthSnapshot and invalidates it
inside notifyAll(), so repeated getState() calls between mutations
return the same reference.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Bump minor version for the new auth lifecycle, recovery, and
multi-session APIs added on this branch (importToken,
validateActiveSession, syncActiveSessionUser, updateSession,
expireActiveSession, authRecovery, AuthSnapshot, new events).

Tighten the AuthProvider test so it explicitly asserts authUser
transitions from undefined during bootstrap to null after hydration,
guarding against future regressions of the public contract.