Make auth cookie and CORS settings environment-configurable

[Soulike]

Summary

The auth server currently hard-codes cookie attributes (sameSite: 'strict', secure: true, domain: '.soulike.tech') and the CORS allowlist includes localhost. However, these settings are inconsistent for local development — cookies won't be sent from localhost because it's cross-site with SameSite=Strict and domain=.soulike.tech.

Similarly, @module/session-sdk hard-codes the auth endpoint as https://auth.soulike.tech/session, making it difficult to point the frontend at a local or staging auth server.

What should be configurable

Auth server (apps/server/auth)

Make cookie and CORS attributes environment-driven:

• koa-session-options.ts: sameSite, secure, domain should be configurable via env vars so local dev can use relaxed settings (e.g., sameSite: 'lax', secure: false, no domain)
• koa-cors-options.ts: The origin allowlist should be consistent with cookie policy — if cookies won't work from localhost, either remove it from the allowlist or make both environment-dependent

Session SDK (modules/universal/session-sdk)

• The auth base URL (https://auth.soulike.tech/session) should be configurable (e.g., via build-time env var or runtime config) so the frontend can point at a local/staging auth server

References

• GHC review comments on PR feat: replace auth-legacy with auth server at auth.soulike.tech #111
• apps/server/auth/src/configurations/koa-session-options.ts
• apps/server/auth/src/configurations/koa-cors-options.ts
• modules/universal/session-sdk/