feat: switch login to hosted QueoAuth widget; tolerate username-only users

- index.html: load https://auth.queo.ru/widget.js
- auth.ts: openLogin() opens widget modal; useAuth() subscribes to widget
  onAuthChange so login in any tab updates the app instantly. Falls back
  to hosted login redirect if widget isn't loaded yet.
- App.tsx: render Landing page for unauthenticated state instead of
  hard redirect. Display username; add Logout button to topbar and
  Forbidden screen. Header uses username || email || sub.
- api.ts: throw ApiError(401) on 401 instead of redirecting — App.tsx
  re-fetches /api/me and shows the landing.
- @doc-manager/shared AuthPayload: email is optional now, username and
  displayName accepted. Backend /api/me returns username.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/api/src/routes/me.ts

@@ -6,7 +6,9 @@ export async function meRoutes(app: FastifyInstance) {
     const u = req.user!;
     return {
       sub: u.sub,
+      username: u.username,
       email: u.email,
+      displayName: u.displayName,
       groups: u.groups,
       isSuperuser: u.isSuperuser,
       docPermission: u.permissions[DOC_MANAGER_RESOURCE] ?? null,