feat(auth): family-wide session constants + mint primitive + auth factory

Adds src/constants.ts exporting the family-wide session policy
(SESSION_TTL_DAYS=30, SESSION_TTL_SECONDS=2_592_000,
SESSION_RENEW_THRESHOLD_SECONDS=3600, LOGOUT_PATHS) so every
bchen.dev app shares the same persistence window.

Introduces issueSessionCookie as the single mint site for
fastify-jwt sign + setCookie, replacing inlined jwt.sign +
setCookie calls in pages.ts and api/v1/auth.ts. The cookie now
carries Max-Age=SESSION_TTL_SECONDS so it persists across browser
restarts.

Converts requireAuth into a makeRequireAuth(config) factory; route
plugins build their own preHandler at registration time. Threads
through pages.ts, api/v1/auth.ts, and api/v1/files.ts.

SESSION_COOKIE_NAME stays 'token' in this commit so existing tests
remain green; the rename to 'nanodrop_session' lands in a follow-up.
JWT_EXPIRY env var is still read; its removal also lands in a
follow-up so each commit builds cleanly.

src/routes/api/v1/files.ts

@@ -7,7 +7,7 @@ import type { Logger } from '../../../middleware/logging.ts';
 import type { JwtPayload } from '../../../types.ts';
 import { createFile, getFilesByUserId, getFileById, deleteFile } from '../../../db/files.ts';
 import { saveFile, deleteStoredFile } from '../../../services/storage.ts';
-import { requireAuth } from '../../../middleware/auth.ts';
+import { makeRequireAuth } from '../../../middleware/auth.ts';
 
 interface Deps {
   db: Database.Database;
@@ -17,6 +17,7 @@ interface Deps {
 
 export const filesApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
   const { db, config } = deps;
+  const requireAuth = makeRequireAuth(config);
 
   app.get('/', { preHandler: requireAuth }, async (request, reply) => {
     const { sub: userId } = request.user as JwtPayload;