feat(auth): rename session cookie to nanodrop_session

Flips SESSION_COOKIE_NAME from 'token' to 'nanodrop_session' per the
family per-app naming convention (<app>_session). fastify-jwt's
cookieName in server.ts is now sourced from the constant so a future
rename only needs to touch constants.ts.

Hard-cut migration with no dual-cookie shim: the existing 'token'
cookie has no Max-Age so it dies on browser close anyway, and this
is a single-user deployment per CLAUDE.md. Users re-log in once
after deploy.

Test files updated mechanically: cookies: { token } → cookies: {
nanodrop_session: token } (variable name 'token' kept locally),
clearCookie regex updated, login response now also asserts
Max-Age=2592000 from the family TTL.

src/constants.ts

@@ -4,7 +4,5 @@
 export const SESSION_TTL_DAYS = 30;
 export const SESSION_TTL_SECONDS = SESSION_TTL_DAYS * 24 * 60 * 60;
 export const SESSION_RENEW_THRESHOLD_SECONDS = 60 * 60;
-// Phase 1: keep cookie name as 'token' so existing tests stay green.
-// Phase 2 flips this to 'nanodrop_session'.
-export const SESSION_COOKIE_NAME = 'token';
+export const SESSION_COOKIE_NAME = 'nanodrop_session';
 export const LOGOUT_PATHS = new Set<string>(['/logout', '/api/v1/auth/logout']);