fix(web): use endsWith for /auth path exclusion in refresh interceptor

Avoids substring-match false positives on future endpoints whose URL could
contain /auth/refresh or /auth/login as infix (W-01 from verify report).

src/web/src/api/axiosClient.ts

@@ -64,8 +64,8 @@ axiosClient.interceptors.response.use(
       status !== 401 ||
       !original ||
       original._retry ||
-      url.includes('/auth/refresh') ||
-      url.includes('/auth/login')
+      url.endsWith('/auth/refresh') ||
+      url.endsWith('/auth/login')
     ) {
       return Promise.reject(error)
     }