fix: switch from httpOnly cookies to localStorage Bearer token auth

Cookie-based auth was unreliable through Cloudflare/nginx proxy — cookie
was being sent for some requests but not others. Switch to returning JWT
in login response, storing in localStorage, and sending as Authorization
Bearer header on all API calls. Eliminates all cookie/SameSite/Secure
proxy issues.

src/routes/auth.ts

@@ -47,20 +47,10 @@ export async function authRoutes(app: FastifyInstance) {
     }
 
     const token = app.jwt.sign({ sub: user.id, username: user.username }, { expiresIn: "7d" });
-
-    reply.setCookie("token", token, {
-      httpOnly: true,
-      secure: true,
-      sameSite: "lax",
-      path: "/",
-      maxAge: 60 * 60 * 24 * 7,
-    });
-
-    return { username: user.username };
+    return { username: user.username, token };
   });
 
-  app.post("/auth/logout", async (_req, reply) => {
-    reply.clearCookie("token", { path: "/" });
+  app.post("/auth/logout", async () => {
     return { ok: true };
   });