Move token verification from root layout SessionGate to (app) group layout, enabling cold-start verification without blocking public pages (privacy/terms). Show ActivityIndicator while verification is in progress, then redirect to login if unverified. BREAKING CHANGE: Authentication flow changed - token verification now occurs in the (app) layout group instead of root layout SessionGate wrapper.