…ary (#6864)

Resolves FR-2641, FR-2642 (under Story [FR-2627](https://lablup.atlassian.net/browse/FR-2627), Epic [FR-2616](https://lablup.atlassian.net/browse/FR-2616))

## Summary

Story 3 of Epic FR-2616: route `/edu-applauncher` and `/applauncher` now authenticate through `STokenLoginBoundary` before `EduAppLauncher` mounts. `_token_login` and the manual `backend-ai-connected` dispatch are removed from the component.

### Scope

- **Route wrapping** (`react/src/routes.tsx`): both edu-app routes read `sToken` via `useSToken()` and URL params via `useQueryStates(eduAppExtraParamSpec)`, then wrap `EduAppLauncherPage` with `STokenLoginBoundary`. The URL is intentionally not stripped on success (the launcher still passes `sToken` prop through for `eduApp.get_user_credential` and other params drive the launch sequence).
- **`EduAppLauncher` cleanup** (`react/src/components/EduAppLauncher.tsx`):
  - Removed `_token_login()` method and the URL parsing it owned.
  - Removed the manual `document.dispatchEvent(new CustomEvent('backend-ai-connected'))` call (the boundary now dispatches this exactly once).
  - **Removed the `auth` stage from `EduAppLaunchStage`** — authentication is no longer represented in the launcher's state machine or its stepper UI. Since the boundary runs `connectViaGQL` before `EduAppLauncher` mounts, the component always starts with a fully authenticated client.
  - **Deleted `_prepareProjectInformation()`** — `connectViaGQL` already populates `groups` / `groupIds` / `current_group` / `current_group_id` with a superset of the fields this helper fetched.
  - Proxy URL attach (`_attachProxyURL`) remains but is no longer labeled "auth"; failures now surface under the session step.
  - The stepper UI drops from 3 steps to 2 (`Preparing Session` → `Launching App`).
- **`extraParams` allowlist** (`react/src/routes.tsx:eduAppExtraParamSpec`): added `api_version`, `date`, `endpoint`. These are part of the LMS signing envelope forwarded with `sToken` in the old URL-scan based `_token_login`; the nuqs migration replaced the scan with an explicit allowlist and had dropped them, causing manager-side auth hooks that validate the signature against these fields to reject `token_login` as tampered.

## Test plan

- [x] `bash scripts/verify.sh` → `ALL PASS`
- [ ] Manual: launch from LMS URL `/edu-applauncher?sToken=<signed>&app=jupyterlab&api_version=...&date=...&endpoint=...&session_id=...` and confirm:
  - `POST /server/token-login` body contains all extra keys (check DevTools Network tab)
  - Stepper shows 2 steps ("Preparing Session", "Launching App") — no "Authentication" step
  - Successful launch opens the app in a new tab
- [ ] Regression scenarios covered by PR #6865 E2E: with / without `session_id`, invalid sToken surfaces stepper-integrated error

**Checklist:**

- [ ] Documentation
- [ ] Minium required manager version
- [ ] Specific setting for review (eg., KB link, endpoint or how to setup)
- [x] Minimum requirements to check during review
- [x] Test case(s) to demonstrate the difference of before/after

## Stack

Story 3 of Epic FR-2616. See [dev plan](../blob/main/.specs/draft-stoken-login-boundary/dev-plan.md) for the full story breakdown.

[FR-2627]: https://lablup.atlassian.net/browse/FR-2627
[FR-2616]: https://lablup.atlassian.net/browse/FR-2616