Httponly cookies migration. continuation of UI PR.

[YounBrand]

Summary

• Migrate auth token storage from localStorage/sessionStorage to httpOnly cookies, eliminating XSS token theft as tokens are no longer accessible to JavaScript
• Fix onboarding re-entry bug where authenticated users with no Plaid link were sent to /dashboard with no path to link a bank account

What changed

Server

• Registered @fastify/cookie plugin in app.ts
• login sets accessToken and refreshToken as httpOnly, Secure, SameSite=Strict cookies; response body now contains only { user }
• logout reads refreshToken from cookie instead of request body; clears both cookies on success
• refresh reads refreshToken from cookie, rotates both tokens via Set-Cookie, returns { success: true }
• verifyJWT preHandler reads from request.cookies.accessToken instead of Authorization header
• Removed refreshToken from logoutSchema and refreshSchema request bodies; updated response schemas

Client

• Removed all token storage code (sessionStorage/localStorage, setTokens, clearTokens, getAccessToken)
• Added credentials: 'include' to all fetch() calls so the browser automatically sends cookies
• AuthProvider always checks session on mount via GET /api/auth/verify; login() reads user from response body
• Landing.tsx now redirects to /link-bank when agentBudgetApproved is false instead of always sending authenticated users to /dashboard

Tests

• All unit and integration tests updated: headers: { authorization: 'Bearer ...' } → cookies: { accessToken: token }
• @fastify/cookie registered in every test app builder that exercises protected routes
• Logout/refresh tests updated to pass tokens via cookies instead of request body
• Schema and controller tests updated to reflect cookie-based token delivery and new response shapes

Test plan

• Fresh page load with no session → lands on login page (401 on /api/auth/verify is expected and silent)
• Login → cookies set, redirected to dashboard or /link-bank based on onboarding state
• Refresh page after login → session persists, dashboard loads correctly
• Close tab and reopen → session persists (cookies survive tab close unlike sessionStorage)
• Logout → cookies cleared, redirected to login; subsequent protected requests return 401
• Login with wrong password → 401 with "Invalid email or password"
• All 52 test files pass: npm test in /server
• Client lint and build pass: npm run lint && npm run build in /client
• Server lint and build pass: npm run lint && npm run build in /server

The merge-base changed after approval.

The merge-base changed after approval.

The merge-base changed after approval.

The merge-base changed after approval.

[TimPolk]

The changes made look good

The merge-base changed after approval.

[gburger5]

Looks good

The merge-base changed after approval.

The merge-base changed after approval.

The merge-base changed after approval.