P6 Stream U: AuthenticatedImage composable + CoilAuthInterceptor

Token-aware image loading matching iOS AuthenticatedImage.swift.
Bearer header attachment, 401-triggered refresh+retry, placeholder on error.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

composeApp/src/androidMain/kotlin/com/tt/honeyDue/MainActivity.kt

@@ -34,6 +34,8 @@ import com.tt.honeyDue.ui.theme.ThemeManager
 import com.tt.honeyDue.fcm.FCMManager
 import com.tt.honeyDue.platform.BillingManager
 import com.tt.honeyDue.network.APILayer
+import com.tt.honeyDue.network.ApiResult
+import com.tt.honeyDue.network.CoilAuthInterceptor
 import com.tt.honeyDue.sharing.ContractorSharingManager
 import com.tt.honeyDue.data.DataManager
 import com.tt.honeyDue.data.PersistenceManager
@@ -308,6 +310,20 @@ class MainActivity : FragmentActivity(), SingletonImageLoader.Factory {
     override fun newImageLoader(context: PlatformContext): ImageLoader {
         return ImageLoader.Builder(context)
             .components {
+                // Auth interceptor runs before the network fetcher so every
+                // image request carries the current Authorization header, with
+                // 401 -> refresh-token -> retry handled transparently. Mirrors
+                // iOS AuthenticatedImage.swift (Stream U).
+                add(
+                    CoilAuthInterceptor(
+                        tokenProvider = { TokenStorage.getToken() },
+                        refreshToken = {
+                            val r = APILayer.refreshToken()
+                            if (r is ApiResult.Success) r.data else null
+                        },
+                        authScheme = "Token",
+                    )
+                )
                 add(KtorNetworkFetcherFactory())
             }
             .memoryCache {