feat: session-expired banner via ae_auth_error store

- Add ae_auth_error writable store to ae_stores.ts
- Wire api_get_object, api_post_object, api_patch_object to set
  ae_auth_error on 401/403 (browser-only guard, never fires SSR)
- Root layout watches ae_auth_error; only raises flag_expired when
  a JWT is present (prevents false trigger on unauthenticated loads)
- Dismissible amber banner added to root layout (non-blocking, above content)
- Tested via debug menu trigger; banner fires and clears correctly

src/lib/stores/ae_stores.ts

@@ -530,6 +530,10 @@ export const slct = writable(slct_obj_template);
 export const slct_trigger: any = writable(null);
 // console.log(`AE Stores - Selected Trigger:`, slct_trigger);
 
+// Auth error signal — set by API helpers on 401/403 to trigger the session-expired banner in the root layout.
+// Only set from browser context (never SSR). 'expired' covers both 401 and 403 responses.
+export const ae_auth_error = writable<{ type: 'expired' | null; ts: number | null }>({ type: null, ts: null });
+
 /* *** BEGIN *** Create time variable */
 // Updated 2020
 export const time = readable(new Date(), function start(set) {