docs(roadmap): record p6 auth session hardening

docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md

@@ -186,7 +186,7 @@ Acceptance criteria:
 
 Goal: the web app is the production-grade primary NoteLett surface.
 
-- [ ] **P6.1** Verify auth middleware and client auth state against real platform-service flows, including expired token, refresh failure, logout, and unauthenticated redirects. Commit:
+- [x] **P6.1** Verify auth middleware and client auth state against real platform-service flows, including expired token, refresh failure, logout, and unauthenticated redirects. Commit: `6418ab2`; Verified: `zsh -lc 'source ~/.zshrc; export GITEA_NPM_TOKEN; pnpm --filter @notelett/web run typecheck'`; `zsh -lc 'source ~/.zshrc; export GITEA_NPM_TOKEN; pnpm --filter @notelett/web exec vitest run src/lib/auth-session.test.ts src/components/AuthGuard.test.tsx src/lib/api-helpers.test.ts'`; `zsh -lc 'source ~/.zshrc; export GITEA_NPM_TOKEN; pnpm --filter @notelett/web run test'`; `git diff --check`. Added product-scoped auth session helpers, configured `@bytelyst/react-auth` with NoteLett product id and safe session restore, refreshed expired access tokens through platform-service before rendering protected routes, cleared sessions on refresh failure/logout cleanup, and added coverage for expired token, refresh success/failure, unauthenticated redirects, and kill-switch gating.
 - [ ] **P6.2** Verify all mutation flows use offline queue or clear retry UX where appropriate: note create/update/archive/restore, workspace CRUD, link note, task/artifact creation, prompts, intake, reviews. Commit:
 - [ ] **P6.3** Add user-facing error states and empty states for backend down, platform down, extraction down, blob upload failure, and feature disabled. Commit:
 - [ ] **P6.4** Complete import/export readiness: JSON and Markdown export, deterministic metadata, auth checks, and web download UX. If import is deferred, document scope and acceptance criteria. Commit: