feat(auth): rename session cookie to nanodrop_session

Flips SESSION_COOKIE_NAME from 'token' to 'nanodrop_session' per the
family per-app naming convention (<app>_session). fastify-jwt's
cookieName in server.ts is now sourced from the constant so a future
rename only needs to touch constants.ts.

Hard-cut migration with no dual-cookie shim: the existing 'token'
cookie has no Max-Age so it dies on browser close anyway, and this
is a single-user deployment per CLAUDE.md. Users re-log in once
after deploy.

Test files updated mechanically: cookies: { token } → cookies: {
nanodrop_session: token } (variable name 'token' kept locally),
clearCookie regex updated, login response now also asserts
Max-Age=2592000 from the family TTL.

src/server.ts

@@ -9,6 +9,7 @@ import { join } from 'path';
 import { fileURLToPath } from 'url';
 import type Database from 'better-sqlite3';
 import type { Config } from './config.ts';
+import { SESSION_COOKIE_NAME } from './constants.ts';
 import { createLogger } from './middleware/logging.ts';
 import { createLockoutService } from './services/lockout.ts';
 import { authApiRoutes } from './routes/api/v1/auth.ts';
@@ -30,7 +31,7 @@ export function createServer({ config, db }: ServerDeps) {
   app.register(fastifyCookie);
   app.register(fastifyJwt, {
     secret: config.jwtSecret,
-    cookie: { cookieName: 'token', signed: false },
+    cookie: { cookieName: SESSION_COOKIE_NAME, signed: false },
   });
   app.register(fastifyFormbody);
   app.register(fastifyMultipart, { limits: { fileSize: config.maxFileSize } });