Secure session

Sign in with cookie-based auth.

This starter keeps auth tokens off localStorage, retries a failed 401 once through `/api/auth/refresh`, and centralizes API parsing with Zod envelopes.