fix(security): remove GitHub access token from client-exposed session

[BCA-krishna]

Closes #2845

Problem

The NextAuth session() callback copied the GitHub access token onto
the session object. Since session is exposed to client-side code via
useSession()/getSession(), the raw GitHub token was readable by any
JavaScript running on the page — including a successful XSS payload —
giving full access to the user's GitHub account with the granted scopes.

Fix

• Removed session.accessToken = token.accessToken from the session()
  callback in src/lib/auth.ts. The token now stays only in the
  encrypted, HttpOnly JWT cookie that NextAuth manages — it never reaches
  the browser.
• Added a getAccessToken() helper in src/lib/get-session-token.ts
  that reads the token server-side only, directly from the JWT via
  next-auth/jwt's getToken().
• Migrated all API routes that previously read session.accessToken to
  call getAccessToken() instead (29 route files).
• Updated/added tests to mock getAccessToken() and to assert that
  accessToken is never present on the session object returned to the
  client.

Testing

• npm run type-check — 0 errors
• npm run lint — 0 errors (5 pre-existing unrelated <img> warnings)
• npm test — same failure count as main (all pre-existing/unrelated
  to this change — verified via git stash comparison); no new failures
  introduced by this fix

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus