fix(auth): invalidate sessions when 2FA is enabled, fix dev 401 loop

Add UserService.BumpLoginEpoch and call it from updateSetting when
TwoFactorEnable flips false → true. Existing cookies (issued under
the looser no-2FA policy) get a 401 on their next request and are
forced through the login flow. Disabling 2FA is a relaxation and
does not bump the epoch — sessions stay valid.

Also fix the dev-mode 401 redirect: targeting `${basePath}login.html`
breaks when basePath isn't "/" (Vite has no file at e.g.
"/test/login.html"; the SPA fallback loops the 401). Navigate to
basePath instead — Vite's bypassMigratedRoute and Go's index
handler both serve login.html for that path.

Strip stale doc-comment from netsafe and IndexController.logout
in line with the project's no-inline-comments convention.

frontend/src/api/axios-init.js

@@ -85,12 +85,8 @@ export function setupAxios() {
       if (status === 401) {
         if (!sessionExpired) {
           sessionExpired = true;
-          if (import.meta.env.DEV) {
-            const basePath = window.X_UI_BASE_PATH || '/';
-            window.location.href = `${basePath}login.html`;
-          } else {
-            window.location.reload();
-          }
+          const basePath = window.X_UI_BASE_PATH || '/';
+          window.location.replace(basePath);
         }
         return new Promise(() => { });
       }