fix: route API traffic through CloudFront for same-site cookie support

[YounBrand]

Problem

After migrating auth tokens from localStorage to httpOnly cookies, login broke in production. The frontend (d1hpk0u9qgnsex.cloudfront.net) and API (u9114xh6q6.execute-api.us-east-1.amazonaws.com) are on different domains, so the browser
blocks SameSite=Strict cookies on cross-origin requests — even with credentials: include.

This worked locally because frontend and API both run on localhost (same site).

Solution

Add API Gateway as a CloudFront origin and route all /api/* requests through CloudFront. The browser now sees only one domain for both the frontend and API, making cookies same-site. No code changes required — SameSite=Strict is the
correct and most secure setting.

Infrastructure changes

• frontend.tf — new API Gateway origin + /api/* cache behavior (caching disabled, all headers and cookies forwarded via AllViewerExceptHostHeader)
• outputs.tf — updated description on api_gateway_url to clarify direct URL is for debugging only

Required follow-up

After terraform apply, update VITE_API_URL in CI/CD from the direct API Gateway URL to the CloudFront domain.

Security

• SameSite=Strict remains unchanged — strongest CSRF protection
• API Gateway no longer directly reachable from the browser
• All traffic benefits from CloudFront WAF and DDoS protection