IAM Auth Migration, Resolution Center Backend Filters & Inbox "Mark as Resolved" (QA Batch)

This QA batch promotes accumulated frontend changes from dev into qa for verification. The substantive changes in this PR are: (1) migrating the authentication layer to the new IAM microservice across the mail, admin, and vendor apps; (2) a redesign of the Forgot Password and Reset Password pages to match the login experience; (3) wiring Resolution Center grid column filters to the backend; and (4) a new "Mark as Resolved" bulk action in the inbox. Note: the PR description references additional work (WebSocket progress, Task Details, Upload Activity, pagination) that is not present in this PR's actual file set; this note is grounded only in the 37 changed files.

Authentication was being moved off the legacy monolith onto a dedicated IAM microservice, so every app that reads or validates a session had to point at the new endpoints and understand IAM's error format. Separately, Resolution Center grid filters were not reaching the backend (filters had no effect on results), and inbox users had no quick way to mark multiple items resolved in bulk.

• Login, logout, forgot-password, and reset-password now run through the IAM service for mail, admin, and vendor users; error messages (including rate-limit "too many attempts") render correctly from IAM responses.
• Forgot/Reset Password pages now share the branded split-panel login layout, giving a consistent, polished sign-in experience.
• Resolution Center column filters (status, date, assignee, etc.) now actually filter the grid against the backend and reset cleanly when switching status tabs.
• Inbox users can select mails (including select-all) and mark them resolved in one action.

• IAM auth migration: rewired auth endpoints from /api/v1/auth/* to /api/v1/iam/auth/* across apps/{admin,mail,vendor} middleware/routes and packages/auth-client. LoginResponse/AuthUser types in packages/types/src/auth.ts aligned to IAM cookie-mode (user_id, email, roles, auth_transport); entity_id/entity_type made optional. changePassword/refreshToken added to the auth API client. Login, forgot, and reset pages now read IAM's {"detail": ...} errors (with {"message"} fallback) and handle HTTP 429.
• Auth UI redesign: new shared apps/auth/src/components/auth/AuthLayout.tsx (split-panel branded layout); forgot-password and reset-password pages restyled to the LoginForm design tokens (navy #1e3a5f, icon-prefixed 38px inputs).
• Resolution Center filters: threaded a new statusFilter prop through data-grid.tsx and column-filter-popover.tsx, extended the reset-on-status-change effect to track it, and added backend grid wiring in resolution.services.ts (+74), resolution.queries.ts (+43), resolution.mutation.ts (cache invalidation for resolutionsGrid), and grid-columns services/queries.
• Inbox "Mark as Resolved": new dropdown button and confirmation modal in InboxGrid.tsx (+128) that sets global_lookup_statuses: [resolvedStatusId ?? 4], supports explicit and select-all modes, and handles async HTTP 202 bulk jobs via useBulkJobProgress.
• Misc: suppressHydrationWarning and fallback backend URL updates; http-client base tweak.

Medium. The auth-endpoint migration is the highest-risk item: any missed route or environment misconfiguration could block sign-in across mail, admin, or vendor. The resolvedStatusId ?? 4 hard-coded fallback assumes the backend "Resolved" status keeps ID 4. Mitigation: this is a QA-stage batch (not production); validate login across all three apps and all auth flows, and confirm the resolved status ID in the target environment before promotion.

• Login, logout, forgot-password, and reset-password through the IAM service on mail, admin, and vendor apps; confirm session validation via /api/v1/iam/auth/me.
• Verify IAM error rendering: wrong credentials (401/403), rate-limit (429), and invalid/expired reset token.
• Confirm forgot/reset pages render in the new branded split-panel layout and are responsive on mobile.
• Resolution Center: apply column filters (status/date/assignee), confirm the grid reflects them, and that filters reset when switching status tabs; confirm grid refreshes after assign/reassign/delete/update.
• Inbox "Mark as Resolved": test explicit selection and select-all; confirm items become resolved and async (202) jobs progress correctly.
• Smoke-check for hydration errors on the auth app load.