feat(auth): rename session cookie to nanodrop_session

Flips SESSION_COOKIE_NAME from 'token' to 'nanodrop_session' per the
family per-app naming convention (<app>_session). fastify-jwt's
cookieName in server.ts is now sourced from the constant so a future
rename only needs to touch constants.ts.

Hard-cut migration with no dual-cookie shim: the existing 'token'
cookie has no Max-Age so it dies on browser close anyway, and this
is a single-user deployment per CLAUDE.md. Users re-log in once
after deploy.

Test files updated mechanically: cookies: { token } → cookies: {
nanodrop_session: token } (variable name 'token' kept locally),
clearCookie regex updated, login response now also asserts
Max-Age=2592000 from the family TTL.

tests/integration/auth-api.test.ts

@@ -26,7 +26,8 @@ describe('POST /api/v1/auth/login', () => {
     });
     expect(res.statusCode).toBe(200);
     expect(res.json()).toEqual({ ok: true });
-    expect(res.headers['set-cookie']).toMatch(/token=/);
+    expect(res.headers['set-cookie']).toMatch(/nanodrop_session=/);
+    expect(res.headers['set-cookie']).toMatch(/Max-Age=2592000/);
   });
 
   it('returns 401 on wrong password', async () => {
@@ -76,7 +77,7 @@ describe('POST /api/v1/auth/logout', () => {
       body: JSON.stringify({ username: 'alice', password: 'secret' }),
     });
     const cookie = res.headers['set-cookie'] as string;
-    token = cookie.split(';')[0].replace('token=', '');
+    token = cookie.split(';')[0].replace('nanodrop_session=', '');
   });
 
   afterEach(async () => {
@@ -88,10 +89,10 @@ describe('POST /api/v1/auth/logout', () => {
     const res = await ctx.app.inject({
       method: 'POST',
       url: '/api/v1/auth/logout',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
     });
     expect(res.statusCode).toBe(200);
-    expect(res.headers['set-cookie']).toMatch(/token=;/);
+    expect(res.headers['set-cookie']).toMatch(/nanodrop_session=;/);
   });
 
   it('returns 401 without cookie', async () => {