fix(multiuser): Isolate client state per user to prevent data leakage

[Copilot]

Summary

In multiuser mode, client state (generation parameters, UI state) was shared between all users due to a single-row constraint in the database. When User A generated an image and User B reloaded, B saw A's parameters.

Changes:

• Database Migration 26: Restructured client_state table from single shared row to per-user storage with (user_id, key) primary key
• Service Layer: Updated ClientStatePersistenceABC and ClientStatePersistenceSqlite to use user_id for isolation
• API Layer: Added CurrentUser dependency to client_state endpoints for authentication
• Tests: Comprehensive multiuser isolation test suite

Existing state migrates to 'system' user. Frontend remains compatible - queue_id parameter kept but ignored in favor of authenticated user_id.

Related Issues / Discussions

Issue describes generation parameter leakage between users on browser reload in multiuser mode.

QA Instructions

1. Enable multiuser mode and create two users (A and B)
2. Login as User A, set generation parameters (prompt, model, steps), generate an image
3. Login as User B in different browser/incognito window
4. Set different generation parameters, generate an image
5. Reload User B's browser
6. Expected: User B sees their own parameters
7. Bug (before fix): User B would see User A's parameters

Test authentication requirements:

# Without auth token, should return 401
curl http://localhost:9090/api/v1/client_state/default/get_by_key?key=test

# With auth token, should succeed
curl -H "Authorization: Bearer <token>" \
  http://localhost:9090/api/v1/client_state/default/get_by_key?key=test

Merge Plan

Database migration from version 25→26 runs automatically on startup. No special merge considerations - migration is idempotent and handles both new installs and upgrades.

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[bug]: Generation value leakage from A to B on window reload</issue_title>
<issue_description>### Is there an existing issue for this problem?

• I have searched the existing issues

Install method

Invoke's Launcher

Operating system

Linux

GPU vendor

Nvidia (CUDA)

GPU model

No response

GPU VRAM

No response

Version number

6.10.0

Browser

No response

System Information

No response

What happened

When operating in multiuser mode, user A and user B log in with separate browsers.

1. User A performs a generation.
2. User B then reloads the browser window.
3. Unexpectedly, the generation parameters (positive and negative prompt, model, steps, etc) appear in B's browser.

What you expected to happen

• When A reloads the page, the last generation parameteres used by A appear.
• When B reloads the page, the last generation parameters used by B appear.
• There is no leakage of data from one user to another.
• When the Administrator is logged in, the last generation parameters used by the Administrator are loaded

How to reproduce the problem

No response

Additional context

No response

Discord username

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [bug]: Generation value leakage from A to B on window reload #39

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.