fix: token refresh and seed tree visibility

Fix broken JWT token refresh that caused "Failed to load trees" after
idle timeout. The refresh endpoint expected token as query param but
frontend sent it as Authorization header. Added proper dependency
(get_refresh_token_payload) and refresh queue to handle concurrent 401s.

Also fix seed trees not being visible to non-admin users by updating
the seed script to set is_public/is_default on existing trees.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/endpoints/auth.py

@@ -12,13 +12,12 @@ from app.core.security import (
     get_password_hash,
     create_access_token,
     create_refresh_token,
-    decode_token
 )
 from app.models.user import User
 from app.models.invite_code import InviteCode
 from app.schemas.user import UserCreate, UserResponse, UserLogin
 from app.schemas.token import Token
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, get_refresh_token_payload
 
 router = APIRouter(prefix="/auth", tags=["authentication"])
 
@@ -154,17 +153,10 @@ async def login_json(
 
 @router.post("/refresh", response_model=Token)
 async def refresh_token(
-    refresh_token: str,
+    payload: Annotated[dict, Depends(get_refresh_token_payload)],
     db: Annotated[AsyncSession, Depends(get_db)]
 ):
     """Refresh access token using refresh token."""
-    payload = decode_token(refresh_token)
-    if payload is None or payload.get("type") != "refresh":
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid refresh token"
-        )
-
     user_id = payload.get("sub")
     result = await db.execute(select(User).where(User.id == user_id))
     user = result.scalar_one_or_none()