- Build signin URL with redirect param so users return to their
original page after re-authentication
- Replace naive refresh lock with token-based ownership to prevent
cross-tab lock release conflicts
- Add stale lock detection with max age to avoid deadlocks from
crashed tabs
- Add timeout to waitUntilTokenRefreshed to prevent infinite polling
- Add tests for signin redirect URL building and refresh token logic
