feat(auth): rename session cookie to nanodrop_session

Flips SESSION_COOKIE_NAME from 'token' to 'nanodrop_session' per the
family per-app naming convention (<app>_session). fastify-jwt's
cookieName in server.ts is now sourced from the constant so a future
rename only needs to touch constants.ts.

Hard-cut migration with no dual-cookie shim: the existing 'token'
cookie has no Max-Age so it dies on browser close anyway, and this
is a single-user deployment per CLAUDE.md. Users re-log in once
after deploy.

Test files updated mechanically: cookies: { token } → cookies: {
nanodrop_session: token } (variable name 'token' kept locally),
clearCookie regex updated, login response now also asserts
Max-Age=2592000 from the family TTL.

tests/integration/auth-rate-limit.test.ts

@@ -56,14 +56,14 @@ describe('per-IP rate limit on login routes', () => {
       body: JSON.stringify({ username: 'alice', password: 'correct-pw' }),
     });
     expect(loginRes.statusCode).toBe(200);
-    const cookie = (loginRes.headers['set-cookie'] as string).split(';')[0].replace('token=', '');
+    const cookie = (loginRes.headers['set-cookie'] as string).split(';')[0].replace('nanodrop_session=', '');
 
     // Now hit /upload (GET) repeatedly past the login-route limit threshold
     for (let i = 0; i < 6; i++) {
       const r = await ctx.app.inject({
         method: 'GET',
         url: '/upload',
-        cookies: { token: cookie },
+        cookies: { nanodrop_session: cookie },
       });
       expect(r.statusCode).toBe(200);
     }