fix(auth): tighten API URL match, add Retry-After header, and add missing tests

- frontend/hooks.server.ts: replace request.url.includes('/api/') with
  new URL(request.url).pathname.startsWith('/api/') so a page named
  /my-api/something cannot accidentally match the API gate
- DomainException: add optional retryAfterSeconds field and a new
  tooManyRequests() factory overload that carries the value
- LoginRateLimiter: pass windowMinutes * 60 as retryAfterSeconds when
  throwing TOO_MANY_LOGIN_ATTEMPTS (RFC 6585 §4 SHOULD)
- GlobalExceptionHandler: emit Retry-After header when retryAfterSeconds
  is set on a DomainException
- RateLimitInterceptor: emit Retry-After: 60 on 429 responses (1-min
  window matches the existing MAX_REQUESTS_PER_MINUTE logic)
- LoginRateLimiterTest: assert retryAfterSeconds equals window duration
- RateLimitInterceptorTest: assert Retry-After header is set on 429
- JdbcSessionRevocationAdapterIntegrationTest: new @SpringBootTest +
  Testcontainers test verifying revokeAll deletes all spring_session rows
  and revokeOther leaves the current session intact

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/hooks.server.ts

@@ -111,7 +111,7 @@ const PUBLIC_API_PATHS = [
 
 export const handleFetch: HandleFetch = async ({ event, request, fetch }) => {
 	const apiUrl = env.API_INTERNAL_URL || 'http://localhost:8080';
-	const isApi = request.url.startsWith(apiUrl) || request.url.includes('/api/');
+	const isApi = request.url.startsWith(apiUrl) || new URL(request.url).pathname.startsWith('/api/');
 
 	if (!isApi) return fetch(request);