Session-based authentification

[MNassimM]

• Kind: feature / refactor / BREAKING CHANGE

Description

This PR introduces Learn-OCaml v2.0 session-based authentication while preserving backward compatibility for existing CLI users:

• adds a full set of “*_s” session endpoints on both the server and the client;
• all token → session relationships are stored in a session.json file within the sync directory
• keeps the original token endpoints, but marks them Upto v"2.0" so old (≤ 1.x) CLI clients continue to use them;
• the front side now stores only sync-session in the local storage;
• provides a one-shot migrate_from_legacy_token helper in the front-end that detects an old sync-token, logs in via the new /login route, stores the returned session, fetches the save file, then deletes the legacy sync-token – all with a small “connection preserved” alert.

Checklist

• [x] Read the CONTRIBUTING.md guide and:
  • [x] Use Atomic Commits so each commit gathers a single logical change
  • [x] Use Conventional Commits regarding commit messages (needed by our release toolchain)

Note to maintainers

• Read this wiki page.
• Make sure the PR has a milestone.
• Assign yourself before merging.
• [ ] Either do a regular merge:
  • for PRs containing several commits following conventional-commits,
  • or for PRs containing 1 commit shared with a later PR (to preserve the SHA1)
• [ ] Or do a squash-merge:
  • for PRs containing only 1 commit (not shared with a later PR),
  • or for PRs containing several commits that need not be kept in the history;
  • → Update the commit message header with a conventional-commit type,
  • → Add a footer Close #… if a related issue exists.

[erikmd]

Just FYI @MNassimM, I added three small commits following our recent discussions on the migration to decompress 1.5.3:

• avoiding the use of De.io_buffer_size that looks unneeded (and local testing is still fine)
• removing the inotify dependency from the *.locked file as it just doesn't work on macOS,
  see also https://opam.ocaml.org/packages/irmin-watcher/ that says "inotify" {os = "linux"}
• and adding the cryptokit dependency that was missing in the branch (it was certainly the cause of the CI failure).

Feel free to add other commits in the branch, and I propose that we'll interactively rebase your branch during our meeting tomorrow (in case you have Magit questions!)