feat(auth): rename session cookie to nanodrop_session

Flips SESSION_COOKIE_NAME from 'token' to 'nanodrop_session' per the
family per-app naming convention (<app>_session). fastify-jwt's
cookieName in server.ts is now sourced from the constant so a future
rename only needs to touch constants.ts.

Hard-cut migration with no dual-cookie shim: the existing 'token'
cookie has no Max-Age so it dies on browser close anyway, and this
is a single-user deployment per CLAUDE.md. Users re-log in once
after deploy.

Test files updated mechanically: cookies: { token } → cookies: {
nanodrop_session: token } (variable name 'token' kept locally),
clearCookie regex updated, login response now also asserts
Max-Age=2592000 from the family TTL.

tests/helpers/setup.ts

@@ -3,6 +3,7 @@ import { tmpdir } from 'os';
 import { join } from 'path';
 import { initDb } from '../../src/db/schema.ts';
 import { createServer } from '../../src/server.ts';
+import { SESSION_COOKIE_NAME } from '../../src/constants.ts';
 import type { Config } from '../../src/config.ts';
 import type Database from 'better-sqlite3';
 import type { FastifyInstance } from 'fastify';
@@ -15,7 +16,7 @@ export async function loginAs(app: FastifyInstance, username: string, password:
     body: JSON.stringify({ username, password }),
   });
   const cookie = res.headers['set-cookie'] as string;
-  return cookie.split(';')[0].replace('token=', '');
+  return cookie.split(';')[0].replace(`${SESSION_COOKIE_NAME}=`, '');
 }
 
 interface MultipartFile {